diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-password	2021-08-10 16:31:04.726233653 +0200
+++ openssl-3.0.0-beta2/apps/req.c	2021-08-10 16:31:58.286947297 +0200
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
         EVP_PKEY_CTX_free(genctx);
         genctx = NULL;
     }
-    if (keyout == NULL) {
+    if (keyout == NULL && keyfile == NULL) {
         keyout = NCONF_get_string(req_conf, section, KEYFILE);
         if (keyout == NULL)
             ERR_clear_error();
diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password	2021-08-10 16:32:21.863261416 +0200
+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in	2021-08-10 16:33:19.173025012 +0200
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
 =item B<-keyout> I<filename>
 
 This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>.  If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present.  Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly.  If a new key is generated and no filename is
+specified the key is written to standard output.
 
 =item B<-noenc>