diff --git a/CHANGES b/CHANGES
index 0e115315a3..0213d865db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,11 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) New '-newreq-nodes' command option to CA.pl.  This is like
+     '-newreq', but calls 'openssl req' with the '-nodes' option
+     so that the resulting key is not encrypted.
+     [Damien Miller <djm@mindrot.org>]
+
   *) New configuration for the GNU Hurd.
      [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
 
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index f1ac7e7726..8b2ce7ea42 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -5,7 +5,7 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
+# CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
@@ -54,7 +54,7 @@ $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -66,6 +66,11 @@ foreach (@ARGV) {
 	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
 	    $RET=$?;
 	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newreq-nodes$/) {
+	    # create a certificate request
+	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request (and private key) is in newreq.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -143,7 +148,7 @@ foreach (@ARGV) {
 	    }
 	} else {
 	    print STDERR "Unknown arg $_\n";
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 1;
 	}
 }
diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod
index 63cd1320cc..58e0f52001 100644
--- a/doc/apps/CA.pl.pod
+++ b/doc/apps/CA.pl.pod
@@ -13,6 +13,7 @@ B<CA.pl>
 [B<-help>]
 [B<-newcert>]
 [B<-newreq>]
+[B<-newreq-nodes>]
 [B<-newca>]
 [B<-xsign>]
 [B<-sign>]
@@ -46,6 +47,10 @@ written to the file "newreq.pem".
 creates a new certificate request. The private key and request are
 written to the file "newreq.pem".
 
+=item B<-newreq-nowdes>
+
+is like B<-newreq> except that the private key will not be encrypted.
+
 =item B<-newca>
 
 creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>