Thomas Griffith wrote:... Then coded a scheduled process using the core PKCS12 code above to read the expiration date stuff and starting the reminders on a weekly basis once it gets to 90 days before expiration. thanks so much.
You're welcome - glad to hear that you got it working.
Thomas Griffith wrote:... after realizing pem basically exposes the private key and certs
There is nothing sensitive in the X.509 certificates. In-fact they are offered to the (anonymous) client in plain-text every time a TLS connection is being established.
Thomas Griffith wrote:With the password protected key store, however, brings the Tomcat issue of storing passwords in plain text within server.xml (for the key store)
I'm pretty sure that Tomcat supports PKCS12 keystores directly, so
you should not need to keep the private key in the clear on the file system (however, the encryption key for the keystore will be in the file system).
Thomas Griffith wrote:Do you know if that Digester.bat can be used to SHA-256 passwords
I don't know what Digester.bat is, but I can't imagine it working. The private key is used to create and verify digital signatures - it is not a password.
I'm not sure what your security concerns/requirements are, but I worked on some PCI (payment card industry) like projects where we were absolutely paranoid about the private key get exfiltrated, and would not have passed security audits having the private key or encrypting key in the open. Our solution was to use
HSMs to generate and store the private keys (and symmetric encryption keys), and have the HSM sign and verify content using these internally-stored keys. Keys stored in an HSM cannot be extracted. The cost of an HSM can range from $100 for a low-end USB device to $50,000 for a high-end network-connected device.