Using the finalizer for sensitive operations is not a good idea since nothing in Tomcat retains the SSLContext instances after using them to init.
tomcat/trunk/java/org/apache/tomcat/util/net/SSLContext.java