You can still add a passphrase to a private key even after a certificate is generated.
openssl rsa -des3 -in your.key -out your.encrypted.key mv your.encrypted.key your.key
the -des3 tells openssl to encrypt the key with DES3.
remove it
openssl rsa -in your.key -out your.open.key
you will be asked for your passphrase one last time by omitting the -des3 you tell openssl to not encrypt the output.
mv your.open.key your.key
http://security.stackexchange.com/questions/59136/can-i-add-a-password-to-an-existing-private-key