diff --git a/utils/gen-ec-cert.sh b/utils/gen-ec-cert.sh
index f8769a3..4440af6 100644
--- a/utils/gen-ec-cert.sh
+++ b/utils/gen-ec-cert.sh
@@ -27,13 +27,21 @@ shift $((OPTIND - 1))
 [ $# -eq 1 ] && [ -n "$1" ] || usage
 domain=$1
 
-(umask 077 && openssl genpkey -aes256 \
-    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key")
-if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
-	# openssl doesn't return an error code if there is a password mismatch
-	# or a password too short, and it creates the output file anyways
-	rm -f "$domain.key"
-	exit 1
+if [ -f "$domain.key" ]; then
+	printf "%s: key for %s already exists; reusing it.\n" \
+	    "${0##*/}" "$domain" >&2
+else
+	(umask 077 && openssl genpkey -aes256 \
+	    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" \
+	    -out "$domain.key")
+	if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
+		# openssl doesn't return an error code if there is a password
+		# mismatch or a password too short, and it creates the output
+		# file anyways
+		rm -f "$domain.key"
+		exit 1
+	fi
 fi
+
 openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
     -key "$domain.key" -out "$domain.pem"