diff --git a/renew-le.sh b/renew-le.sh
index 7d6f003..350bac4 100755
--- a/renew-le.sh
+++ b/renew-le.sh
@@ -24,7 +24,9 @@ rm -f "$WORKDIR"/*.pem
 rm -f "$WORKDIR"/httpd-csr.*
 
 # generate CSR
-openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der"
+OPENSSL_PASSWD_FILE="/var/lib/ipa/passwds/$HOSTNAME-443-RSA"
+[ -f "$OPENSSL_PASSWD_FILE" ] && OPENSSL_EXTRA_ARGS="-passin file:$OPENSSL_PASSWD_FILE" || unset OPENSSL_EXTRA_ARGS
+openssl req -new -sha256 -config "$WORKDIR/ipa-httpd.cnf"  -key /var/lib/ipa/private/httpd.key -out "$WORKDIR/httpd-csr.der" $OPENSSL_EXTRA_ARGS
 
 # httpd process prevents letsencrypt from working, stop it
 service httpd stop