diff --git a/account/mksyscert.in b/account/mksyscert.in
index a7dcec216fcc5561e8d8a908efbd6defb408faec..a0c9ccc9a691945b7c1b1d073ce8a4633d43908e 100755
--- a/account/mksyscert.in
+++ b/account/mksyscert.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2019 University of Utah and the Flux Group.
+# Copyright (c) 2000-2020 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -87,6 +87,7 @@ my $EMULAB_CERT = "$TB/etc/emulab.pem";
 my $EMULAB_KEY  = "$TB/etc/emulab.key";
 my $OPENSSL     = "/usr/bin/openssl";
 my $WORKDIR     = "$TB/ssl";
+my $RANDFILE    = "./.rnd";
 my $SAVEUID	= $UID;
 my $certfile    = $EMULAB_CERT;
 my $keyfile     = $EMULAB_KEY;
@@ -207,6 +208,22 @@ if (!defined($email)) {
 chdir("$WORKDIR") or
     fatal("Could not chdir to $WORKDIR: $!");
 
+#
+# Some sillyness to deal with changes to .rnd file handling across
+# versions of openssl.
+#
+if (! -e $RANDFILE) {
+    system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
+    if ($?) {
+	fatal("Could not generate $RANDFILE");
+    }
+}
+#
+# Older versions of openssl ignore -rand option, but use this environment
+# variable. New versions ignore the environment variable but use -rand.
+#
+$ENV{"RANDFILE"} = $RANDFILE;
+
 #
 # Need an index file, which is the openssl version of the DB.
 #
@@ -295,7 +312,7 @@ if( defined( $oldkeyfile ) ) {
     #
     # Create a client side private key and certificate request.
     #
-    my $genopts =
+    my $genopts = " -rand $RANDFILE " .
 	($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
 
     my $output =
diff --git a/account/mkusercert.in b/account/mkusercert.in
index acd871998bed3bde729a3819644de904a3a207b0..0895fd71898dc7f8dc4b8e26c16bce3c2a0fc41d 100755
--- a/account/mkusercert.in
+++ b/account/mkusercert.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -wT
 #
-# Copyright (c) 2000-2018 University of Utah and the Flux Group.
+# Copyright (c) 2000-2020 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -64,6 +64,7 @@ my $PGENISUPPORT= @PROTOGENI_SUPPORT@;
 my $CONTROL	= "@USERNODE@";
 my $BOSSNODE	= "@BOSSNODE@";
 my $OU          = "sslxmlrpc";	# orgunit
+my $RANDFILE    = "./.rnd";
 
 # Locals
 my $USERDIR	= USERROOT();
@@ -252,6 +253,22 @@ chdir("$WORKDIR") or
 TBScriptLock("mkusercert") == 0 or
     fatal("Could not get the lock!");
 
+#
+# Some sillyness to deal with changes to .rnd file handling across
+# versions of openssl.
+#
+if (! -e $RANDFILE) {
+    system("/bin/dd if=/dev/urandom of=${RANDFILE} bs=256 count=4");
+    if ($?) {
+	fatal("Could not generate $RANDFILE");
+    }
+}
+#
+# Older versions of openssl ignore -rand option, but use this environment
+# variable. New versions ignore the environment variable but use -rand.
+#
+$ENV{"RANDFILE"} = $RANDFILE;
+
 #
 # Create a client side cert. Reuse the original key if are told to,
 # and it actually exists, and the password is valid.
@@ -398,7 +415,7 @@ sub CreateNewCert() {
     # Create a client side private key and certificate request.
     #
     if (!$reusekey) {
-	my $genopts =
+	my $genopts = " -rand $RANDFILE " .
 	    ($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
 
 	system("$OPENSSL genrsa $genopts -out usercert_key.pem 2048")
@@ -652,7 +669,7 @@ if ($encrypted) {
     #
     system("$OPENSSL pkcs12 -export -in usercert.pem -des3 ".
 	   "-passin 'pass:${sh_password}' -passout 'pass:${sh_password}' ".
-	   "-out usercert.p12 -rand ./.rnd")
+	   "-out usercert.p12 -rand $RANDFILE")
 	== 0 or fatal("Could not create usercert.p12");
 
     # Drop the file into the user .ssl directory.