% cfssl version
Version: 1.3.4
Revision: dev
Runtime: go1.12.7

When using cfssl gencsr -key <keyfile>, I noticed that cfssl seems to adjust the mtime of the keyfile. Since the use case of gencsr is to use an existing file, I doubt it needs to touch the file.

Can be reproduced by:

1. Generate JSON file
2. cfssl keygen JSON | cfssl-json -bare mycert
3. stat -f "%Sc %Sa %Sm" mycert-key.pem (BSD/Mac syntax) and notice the timestamps
4. Wait a minute so that clock rolls over
5. cfssl gencsr -key mycert-key.pem JSON
6. stat -f "%Sc %Sa %Sm" mycert-key.pem and notice that the ctime and mtime have changed.

What I also find interesting is:

% cfssl gencsr -h
	cfssl gencsr -- generate a csr from a private key with existing CSR json specification or certificate

Usage of genkey:
        cfssl gencsr -key private_key_file [-host hostname_override] CSRJSON
        cfssl gencsr -key private_key_file [-host hostname_override] -cert certificate_file

Arguments:
        CSRJSON:    JSON file containing the request, use '-' for reading JSON from stdin

Notice the output of genkey in the output above. I have not yet looked at the code yet whether gencsr is wrapping genkey's functionality, which could explain the behaviour I write about above.