diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index a2ba9a1331..1bffc1ae66 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -90,7 +90,25 @@ static int ssl_tmp_key_init_rsa(server_rec *s,
     }
 
 #endif
-
+#ifdef HAVE_GENERATE_EX
+    {
+        RSA *tkey;
+        BIGNUM *bn_f4;
+        if (!(tkey == RSA_new())
+          || !(bn_f4 == BN_new())
+          || !BN_set_word(bn_f4, RSA_F4)
+          || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL))
+        {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
+                         "Init: Failed to generate temporary "
+                         "%d bit RSA private key", bits);
+            ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+            return !OK;
+        }
+        BN_free(bn_f4);
+        mc->pTmpKeys[idx] = tkey;
+    }
+#else
     if (!(mc->pTmpKeys[idx] =
           RSA_generate_key(bits, RSA_F4, NULL, NULL)))
     {
@@ -100,6 +118,7 @@ static int ssl_tmp_key_init_rsa(server_rec *s,
         ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
         return !OK;
     }
+#endif
 
     return OK;
 }
diff --git a/modules/ssl/ssl_toolkit_compat.h b/modules/ssl/ssl_toolkit_compat.h
index e87361b7ff..b041ee8252 100644
--- a/modules/ssl/ssl_toolkit_compat.h
+++ b/modules/ssl/ssl_toolkit_compat.h
@@ -48,6 +48,10 @@
 #include <openssl/ocsp.h>
 #endif
 
+#if (OPENSSL_VERSION_NUMBER >= 0x00908000)
+#define HAVE_GENERATE_EX
+#endif
+
 /* ECC support came along in OpenSSL 1.0.0 */
 #if (OPENSSL_VERSION_NUMBER < 0x10000000)
 #define OPENSSL_NO_EC