diff -Nru swtpm-0.6.1/debian/changelog swtpm-0.6.1/debian/changelog
--- swtpm-0.6.1/debian/changelog	2022-02-24 01:03:33.000000000 +0000
+++ swtpm-0.6.1/debian/changelog	2022-02-24 10:26:08.000000000 +0000
@@ -1,3 +1,9 @@
+swtpm (0.6.1-0ubuntu5~bpo20.04.2) focal; urgency=medium
+
+  * Do not use 'traditional' openssl flag, not supported.
+
+ -- Luca Boccassi <bluca@debian.org>  Thu, 24 Feb 2022 10:26:08 +0000
+
 swtpm (0.6.1-0ubuntu5~bpo20.04.1) focal; urgency=medium
 
   * Rebuild for focal.
diff -Nru swtpm-0.6.1/debian/patches/openssl-not-certtool.patch swtpm-0.6.1/debian/patches/openssl-not-certtool.patch
--- swtpm-0.6.1/debian/patches/openssl-not-certtool.patch	2021-12-02 17:54:10.000000000 +0000
+++ swtpm-0.6.1/debian/patches/openssl-not-certtool.patch	2022-02-24 10:25:38.000000000 +0000
@@ -114,7 +114,7 @@
          /* generate the root-CA's private key */
          cmd = concat_arrays(cmd, (gchar*[]){
 -                                (gchar *)certtool, "--generate-privkey", "--outfile", cakey, NULL
-+			openssl, "genrsa", "-traditional", "-out", cakey, NULL
++			openssl, "genrsa", "-out", cakey, NULL
                              }, TRUE);
          if (swtpm_rootca_password != NULL)
 +        {
@@ -228,7 +228,7 @@
          cmd = concat_arrays(NULL,
                              (gchar *[]) {
 -                                certtool, "--generate-privkey", "--outfile", (gchar *)signkey, NULL
-+                                openssl, "genrsa", "-traditional", "-out", (gchar *)signkey, NULL
++                                openssl, "genrsa", "-out", (gchar *)signkey, NULL
                              }, FALSE);
          if (signkey_password != NULL)
 -            cmd = concat_arrays(cmd, (gchar *[]){