You can still add a passphrase to a private key even after a certificate is generated.
openssl rsa -des3 -in your.key -out your.encrypted.key mv your.encrypted.key your.key
openssl to encrypt the key with DES3.
openssl rsa -in your.key -out your.open.key
you will be asked for your passphrase one last time by omitting the
-des3 you tell
openssl to not encrypt the output.
mv your.open.key your.key