What is the purpose of the -nodes argument in openssl?

Question

What is the purpose of the -nodes argument in openssl?

Answer 1

edit: nginx v1.7.3 has added an ssl_password_file directive which reads passphrases from a specified file trying each passphrase on the context's encrypted-private.key

indiv is correct that the -nodes argument means that OpenSSL will create UNencrypted private.key; otherwise, there will be a passphrase prompt to create encrypted-private.key. see req, pkcs12, CA.pl

however, I feel the purpose (for programmers) is because:

• HTTP servers (e.g. Apache, Nginx) cannot read encrypted-private.key without passphrase →
  • Option A - each time HTTP server starts, must provide passphrase for encrypted-private.key
  • Option B - specify ssl_password_file file.keys; in http { } or server { } context. [ref]
  • Option C - use -nodes to create private.key without encryption

useful: lock down private.key

• { add HTTP server to ssl-cert group }
• sudo chown root:ssl-cert private.key - change owner of private.key to root user, ssl-cert group
• sudo chmod 640 private.key - change access permissions of private.key to owner R/W, group R
• now, HTTP server should be able to start and read UNencrypted private.key

Option A

stronger security, yet when server restarts, have to manually type in passphrase for encrypted-private.key

Option B

medium security, and probably good balance between A/C

Option C

weaker security, yet NOT prompted for UNencrypted private.key passphrase