diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
index e4403196583cccf077b2d16cb80758ebee5116d9..860b93e16c226777ce92fafbec1bb021e7634787 100644
--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -45,6 +45,7 @@ interface IProvider {
 	 * @param int $type token type
 	 * @param int $remember whether the session token should be used for remember-me
 	 * @return IToken
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function generateToken(string $token,
 								  string $uid,
@@ -82,6 +83,7 @@ interface IProvider {
 	 * @param string $oldSessionId
 	 * @param string $sessionId
 	 * @throws InvalidTokenException
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function renewSessionToken(string $oldSessionId, string $sessionId);
 
@@ -158,6 +160,7 @@ interface IProvider {
 	 * @param string $oldTokenId
 	 * @param string $newTokenId
 	 * @return IToken
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken;
 
diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php
index c49bd1b1e1903490490f423ed8edf58cef1b0198..76c0dfb86955fdcdbffc2c61be6da2584d0859f1 100644
--- a/lib/private/Authentication/Token/Manager.php
+++ b/lib/private/Authentication/Token/Manager.php
@@ -109,6 +109,7 @@ class Manager implements IProvider {
 	 *
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 * @return IToken
 	 */
 	public function getToken(string $tokenId): IToken {
@@ -206,6 +207,7 @@ class Manager implements IProvider {
 	 * @param string $newTokenId
 	 * @return IToken
 	 * @throws InvalidTokenException
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
 		if ($token instanceof DefaultToken) {
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
index 6e6d7acf242f0f0a5ae03eddc6e79f48eda0a57d..adc4b4bed38485b4c1a08806c6e22654e1e71983 100644
--- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php
+++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php
@@ -61,6 +61,9 @@ class PublicKeyTokenProvider implements IProvider {
 		$this->time = $time;
 	}
 
+	/**
+	 * {@inheritDoc}
+	 */
 	public function generateToken(string $token,
 								  string $uid,
 								  string $loginName,
@@ -268,6 +271,7 @@ class PublicKeyTokenProvider implements IProvider {
 	/**
 	 * Convert a DefaultToken to a publicKeyToken
 	 * This will also be updated directly in the Database
+	 * @throws \RuntimeException when OpenSSL reports a problem
 	 */
 	public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
 		$pkToken = $this->newToken(
@@ -286,6 +290,9 @@ class PublicKeyTokenProvider implements IProvider {
 		return $this->mapper->update($pkToken);
 	}
 
+	/**
+	 * @throws \RuntimeException when OpenSSL reports a problem
+	 */
 	private function newToken(string $token,
 							  string $uid,
 							  string $loginName,
@@ -306,6 +313,7 @@ class PublicKeyTokenProvider implements IProvider {
 		$res = openssl_pkey_new($config);
 		if ($res === false) {
 			$this->logOpensslError();
+			throw new \RuntimeException('OpenSSL reported a problem');
 		}
 
 		openssl_pkey_export($res, $privateKey);