Sensitive information stored in our database is stored encrypted.
My application needs a single global AES 256 encryption key. My boss suggests using the same key stored in a certificate used for our SSL. Mind you this application is not SSL related.
I'm wondering if this is a good idea? Maybe we should store a separate key in a database or in the Java backend code itself?
I hear SSL uses a variety of encryption methods and so the key used by SSL may not be compatible with the encryption we use, which is always AES 256?
Help appreciated
Try storing it in a JCEKS key store instead. Key stores can be used to store keys. Note that you would need to protect it with a relatively strong pass phrase. It's tricky to automate access to a key.
Understanding how you can manage keys is called key management, and it is the topic of entire books.