diff --git a/zuulclient/utils/__init__.py b/zuulclient/utils/__init__.py
index ced76a1..785f1f6 100644
--- a/zuulclient/utils/__init__.py
+++ b/zuulclient/utils/__init__.py
@@ -79,9 +79,14 @@ def encrypt_with_openssl(pubkey_path, plaintext, logger=None):
             'Input plaintext length: {} bytes'.format(len(plaintext)))
         logger.info('Number of chunks: {}'.format(chunks))
 
-    cmd = ['openssl', 'rsautl', '-encrypt',
-           '-oaep', '-pubin', '-inkey',
-           pubkey_path]
+    # NOTE(ianw) 2023-03-29 : previously this used the deprecated
+    # rsautl tool, which hardcoded sha1 as the oaep hash; so zuul
+    # assumes that on decryption.  Be careful modifying it.
+    cmd = ['openssl', 'pkeyutl', '-encrypt', '-pubin',
+           '-inkey', pubkey_path,
+           '-pkeyopt', 'rsa_padding_mode:oaep',
+           '-pkeyopt', 'rsa_oaep_md:sha1']
+
     if logger:
         logger.debug('Invoking "%s" with each data chunk:' % ' '.join(cmd))
     for count in range(chunks):