...
When you issue the above command, you will be given the option of encrypting the private key. If you're generating the private key directly on the IdP (or SP), this is not necessary since it is assumed your host system is secure. If, however, you're generating the private key on any other host, you must encrypt the private key as stipulated above. Once the private key has been secured on the target IdP (or SP), it may be decrypted in situ with the following OpenSSL command:
...