-mkdir -p $KEYDIR
-openssl genrsa -out $KEYFILE
-chown -R domtool.domtool $KEYDIR
-fs sa $KEYDIR $USER read
+mkdir $KEYDIR || echo Key directory already exists.
+openssl genrsa -out $KEYFILE 4096
+# chown -R domtool.nogroup $KEYDIR
+# chmod for non-afs systems
+chmod 700 $KEYDIR
+chmod 600 $KEYFILE
+if [ "$2" != '-unsafe' ]; then
+ if [ -z "`getent passwd $USER`" ]; then
+ echo "$USER does not exist. This must be a server principal."
+ else
+ chown -R $USER.nogroup $KEYDIR
+ fi
+fi
+
+fs sa $KEYDIR $USER read || echo This must be a server principal.