Use ecparam instead of genpkey

The generated keys are just different.

As a consequence, remove key encryption support.

utils/gen-ec-cert.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 usage()
 {
-	printf "Usage: %s [-e] [-c curve] [-d days] domain\n" "${0##*/}" >&2
+	printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2
 	exit 1
 }
 
@@ -12,16 +12,13 @@ tonumber()
 
 curve=secp384r1
 days=3650
-encrypt=
-while getopts c:d:e flag; do
+while getopts c:d: flag; do
 	case $flag in
 	c)	[ -n "$OPTARG" ] || usage
 		curve=$OPTARG
 		;;
 	d)	days=$(tonumber "$OPTARG") || usage
 		;;
-	e)	encrypt=yes
-		;;
 	*)	usage
 		;;
 	esac
@@ -34,16 +31,8 @@ if [ -f "$domain.key" ]; then
 	printf "%s: key for %s already exists; reusing it.\n" \
 	    "${0##*/}" "$domain" >&2
 else
-	(umask 077 && openssl genpkey ${encrypt:+-aes256} \
-	    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" \
-	    -out "$domain.key")
-	if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
-		# openssl doesn't return an error code if there is a password
-		# mismatch or a password too short, and it creates the output
-		# file anyways
-		rm -f "$domain.key"
-		exit 1
-	fi
+	(umask 077 &&
+	    openssl ecparam -genkey -name "$curve" -out "$domain.key")
 fi
 
 openssl req -new -x509 -days "$days" -subj "/CN=$domain" \