Sephster
commented
3 years ago Thanks for spotting this. I am surprised openssl doesn't produce any error. Just silently creates the priv key without a password. Scary.
It looks like we should also update this to use genpkey instead of genrsa going forwards. Thanks very much for this.
To generate a private key with passphrase an encryption must be specified
-aes128. Otherwise a key without passphrase will be created and no error will occur. The stupid thing is that the PHP code does not throw an error if you specify a passphrase for a private key without passphrase. Therefore no one notices the error.