If you have a private key that is not encrypted (for example, it was created with the "-nodes" command line option), you can encrypt the private key with a password. A typical openssl command and resulting interactive session is shown here:

    > openssl rsa -des3 -in hostkeyNOPASSWORD.pem -out hostkeySECURE.pem
    writing RSA key
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    >

Here's an explanation of the command line options:

    * -des3 - encrypt the private key with the triple DES cipher before outputting it. The passphrase you enter must be at least four characters long.
    * -in hostkeyNOPASSWORD.pem - read in the unencrypted private key from the file hostkeyNOPASSWORD.pem.
    * -out hostkeySECURE.pem - write out the encrypted private key to the file hostkeySECURE.pem.