diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c

--- openssl-3.0.0-beta2/apps/req.c.req-password	2021-08-10 16:31:04.726233653 +0200

+++ openssl-3.0.0-beta2/apps/req.c	2021-08-10 16:31:58.286947297 +0200

@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)

         EVP_PKEY_CTX_free(genctx);

         genctx = NULL;

     }

-    if (keyout == NULL) {

+    if (keyout == NULL && keyfile == NULL) {

         keyout = NCONF_get_string(req_conf, section, KEYFILE);

         if (keyout == NULL)

             ERR_clear_error();

diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in

--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password	2021-08-10 16:32:21.863261416 +0200

+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in	2021-08-10 16:33:19.173025012 +0200

@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det

 =item B<-keyout> I<filename>

 This gives the filename to write any private key to that has been newly created

-or read from B<-key>.

-If the B<-keyout> option is not given the filename specified in the

-configuration file with the B<default_keyfile> option is used, if present.

-If a new key is generated and no filename is specified

-the key is written to standard output.

+or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option

+are given then the filename specified in the configuration file with the

+B<default_keyfile> option is used, if present.  Thus, if you want to write the

+private key and the B<-key> option is provided, you should provide the

+B<-keyout> option explicitly.  If a new key is generated and no filename is

+specified the key is written to standard output.

 =item B<-noenc>