It’s kind of why I settled on “annoying” as my descriptor. I know just enough about it to do what I need and nothing more. So maybe that’s the reason, and it’s a good reason, or maybe there’s also other good reasons. Honestly don’t know.
I’ll say that it feels somewhat pointless on every system I’ve personally used it on. In all cases I’m still generating my private key in PEM format and using filesystem permissions to restrict access. So the PKCS12 / JKS password stuff just becomes another thing to bother with that doesn’t provide any real improvement to security.
Now maybe we should be deleting that PEM once we slurp it into the keystore, and actually setting real keystore passwords sourced from a secure location and only kept in memory, etc. I’d definitely rather not though.
I’ll say that it feels somewhat pointless on every system I’ve personally used it on. In all cases I’m still generating my private key in PEM format and using filesystem permissions to restrict access. So the PKCS12 / JKS password stuff just becomes another thing to bother with that doesn’t provide any real improvement to security.
Now maybe we should be deleting that PEM once we slurp it into the keystore, and actually setting real keystore passwords sourced from a secure location and only kept in memory, etc. I’d definitely rather not though.