heartbleed - Revoke or re-key SSL certificate? [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

This question does not appear to be about programming within the scope defined in the help center.

Closed 9 years ago.

Improve this question

With regards to the openSSL heartbleed issue and resolution, should I revoke OR re-key my existing SSL cert?

Answer 1

ONCE you have fixed the problem (upgraded openssl), you can re-key your existing SSL cert.

Re-keying effectively issues a new certificate, and your old cert will be revoked automatically.

The other reason to revoke your certificate is if the information on the certificate (other than your keys) changes. This information is public anyway; it is included in the certificate which is handed out to anyone who connects.

Of course, if they have your private key, any information encrypted with that private key may also have been compromised - you may consider forcing a password change for any users who have logged in in the period in question. Especially administrators.

Answer 2

Because the private key might be compromised you need to re-key the certificate instead of just renew it, e.g. use a new public/private key pair instead of renewing one. Revoking the compromised certificate need to be done too, which may be done automatically if you create the new certificate by the same CA but you should check this with the issuer (CA).

Note, that the revoking process of the current PKI structure in the browsers is bad, e.g. some don't check, some ignore OCSP errors etc. And it is worse outside the browsers (e.g. scripts, mobile apps...). That's why in the last big compromises or wrong behavior of CA (Comodo, DigiNotar, FGC/A ...) you always got a new browser version :(