Per http://drupalscout.com/knowledge-base/storing-private-information-secure..., it would be better to NOT store the certificate passphrase as a regular variable in the database, unencrypted.

One option may be to store the value in the site's settings.php. Another (and not mutually exclusive) would be to leverage an encryption module such as Encrypt or AES.

More investigation is needed to figure out if the extra security is effective and worth the additional code. Any suggestions welcome!