diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 9a150fa2162..69877d1ddfd 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1892,6 +1892,20 @@ write_pem_key_file(const char *filename, const char *pem_name)
     return;
 }
 
+bool
+generate_ephemeral_key(struct buffer *key, const char *key_name)
+{
+    msg(M_INFO, "Using random %s.", key_name);
+    uint8_t rand[BCAP(key)];
+    if (!rand_bytes(rand, BCAP(key)))
+    {
+        msg(M_WARN, "ERROR: could not generate random key");
+        return false;
+    }
+    buf_write(key, rand, BCAP(key));
+    return true;
+}
+
 bool
 read_pem_key_file(struct buffer *key, const char *pem_name,
                   const char *key_file, const char *key_inline)
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index c59474834ca..18a86ceb0b9 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -428,7 +428,17 @@ unsigned int crypto_max_overhead(void);
  * @param pem_name          The name to use in the PEM header/footer.
  */
 void
-write_pem_key_file(const char *filename, const char *pem_name);
+write_pem_key_file(const char *filename, const char *key_name);
+
+/**
+ * Generate ephermal key material into the key structure
+ *
+ * @param key           the key structure that will hold the key material
+ * @param pem_name      the name used for logging
+ * @return              true if key generation was successful
+ */
+bool
+generate_ephemeral_key(struct buffer *key, const char *pem_name);
 
 /**
  * Read key material from a PEM encoded files into the key structure