Unencrypted private key needed in browser-kibana https communication?

I followed the instructions at https://www.elastic.co/guide/en/kibana/current/production.html#enabling-ssl and got an error accessing Kibana through https:

FATAL[Error:error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read]

I re-exported the key from my p12 using:

openssl pkcs12 -in mykey.p12 -nodes -out mykey.pem

... and it worked. But I understand the -nodes to have removed encryption of the key which I'm guessing is a bad thing. Is non-encryption required or am I doing something wrong?