From 8cf2d8e8e4618930e7e1775326e7f144dc844b81 Mon Sep 17 00:00:00 2001
From: Leigh B Stoller <stoller@flux.utah.edu>
Date: Wed, 20 Aug 2014 15:37:47 -0600
Subject: [PATCH] Generate key in a separate call to genrsa, rather combining
 with the call to req (csr generation). Not allowed to specify the cipher when
 via req, and we want des3. Default changed between FreeBSD 8 and 10, and I
 have no idea where to change it, so just do it explicitly on the command
 line.

---
 account/mkusercert.in | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/account/mkusercert.in b/account/mkusercert.in
index 530bb32d24..0d7339f841 100755
--- a/account/mkusercert.in
+++ b/account/mkusercert.in
@@ -258,11 +258,7 @@ if ($reusekey) {
 	UserFatal("Cannot decrypt private key. Correct pass phrase?");
     }
     $reqargs  = "-key usercert_key.pem -passin 'pass:${sh_password}' ";
-}
-else {
   newkey:
-    $reqargs  = "-keyout usercert_key.pem";
-    $reqargs .= ($encrypted ? " -passout 'pass:${sh_password}' " : " -nodes ")
 }
 
 #
@@ -373,9 +369,18 @@ sub CreateNewCert() {
     #
     # Create a client side private key and certificate request.
     #
-    system("$OPENSSL req -new -config usercert.cnf ".
-	   "$reqargs -out usercert_req.pem") == 0
-	   or fatal("Could not create certificate request");
+    if (!$reusekey) {
+	my $genopts =
+	    ($encrypted ? " -passout 'pass:${sh_password}' -des3 " : "");
+
+	system("$OPENSSL genrsa $genopts -out usercert_key.pem 1024")
+	    == 0 or fatal("Could generate new key");
+    }
+    my $reqopts = ($encrypted ? "-passin 'pass:${sh_password}' " : "");
+    
+    system("$OPENSSL req $reqopts -new -config usercert.cnf ".
+	   "-key usercert_key.pem -out usercert_req.pem")
+	== 0 or fatal("Could not create certificate request");
     
     #
     # Sign the client cert request, creating a client certificate.
-- 
GitLab