diff --git a/utils/gen-ec-cert.sh b/utils/gen-ec-cert.sh
index 90498e7..f8769a3 100644
--- a/utils/gen-ec-cert.sh
+++ b/utils/gen-ec-cert.sh
@@ -28,6 +28,12 @@ shift $((OPTIND - 1))
 domain=$1
 
 (umask 077 && openssl genpkey -aes256 \
-    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key") &&
-    openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
+    -algorithm ec -pkeyopt ec_paramgen_curve:"$curve" -out "$domain.key")
+if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
+	# openssl doesn't return an error code if there is a password mismatch
+	# or a password too short, and it creates the output file anyways
+	rm -f "$domain.key"
+	exit 1
+fi
+openssl req -new -x509 -days "$days" -subj "/CN=$domain" \
     -key "$domain.key" -out "$domain.pem"