diff --git a/shellpki b/shellpki
index 09c664b..019d5e7 100755
--- a/shellpki
+++ b/shellpki
@@ -137,14 +137,14 @@ warning() {
 }
 
 verify_ca_password() {
-    "${OPENSSL_BIN}" rsa \
+    "${OPENSSL_BIN}" pkey \
         -in "${CA_KEY}"    \
         -passin pass:"${CA_PASSWORD}" \
         >/dev/null 2>&1
 }
 get_real_path() {
     # --canonicalize is supported on Linux
-    # -f is supported on Linux and OpenBSD 
+    # -f is supported on Linux and OpenBSD
     readlink -f -- "${1}"
 }
 
@@ -278,17 +278,18 @@ init() {
 
     passout_arg=""
     if [ -n "${CA_PASSWORD:-}" ]; then
-        passout_arg="-passout pass:${CA_PASSWORD}"
+        passout_arg="-pass pass:${CA_PASSWORD}"
     elif [ "${non_interactive}" -eq 1 ]; then
         error "In non-interactive mode, you must pass CA_PASSWORD as environment variable."
     fi
 
     if [ ! -f "${CA_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${CA_KEY}" \
             ${passout_arg} \
             -aes256 \
-            "${CA_KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -ne 0 ]; then
@@ -333,7 +334,7 @@ EOF
             error "Error generating the CA certificate"
         fi
     fi
-    
+
         "${OPENSSL_BIN}" ca \
             -config "${CONF_FILE}" \
             -passin pass:${CA_PASSWORD} \
@@ -355,9 +356,10 @@ ocsp() {
     port=$(echo "${ocsp_uri}" | cut -d':' -f2)
 
     if [ ! -f "${OCSP_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${OCSP_KEY}" \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -ne 0 ]; then
@@ -671,14 +673,15 @@ create() {
         # generate private key
         pass_args=""
         if [ -n "${password_file:-}" ]; then
-            pass_args="-aes256 -passout file:${password_file}"
+            pass_args="-aes256 -pass file:${password_file}"
         elif [ -n "${PASSWORD:-}" ]; then
-            pass_args="-aes256 -passout pass:${PASSWORD}"
+            pass_args="-aes256 -pass pass:${PASSWORD}"
         fi
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
             -out "${key_file}" \
             ${pass_args} \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
             >/dev/null 2>&1
         # shellcheck disable=SC2181
         if [ "$?" -eq 0 ]; then