I would vote for implementing the feature to explicitly set empty passwords for certificate requests request-cert.
This would allow automated creation of password-less keys to be used i.e. for web servers.

Maybe implementing another flag --empty-passphrase and internally setting empty byte array.

Agreed. I think defaulting to no password is a sensible default -- I've been thinking that's a good "2.0" type change.

What's the problem with using '--passphrase ""' in scripts? That's what I'm doing to get password-less keys, works fine.

Thanks @thkukuk .. Obviously no problem, I just tried it again and it works... Don't know, what I messed up before. Sorry for creating this issue.