heartbleed - Revoke or re-key SSL certificate? [closed]

Question

With regards to the openSSL heartbleed issue and resolution, should I revoke OR re-key my existing SSL cert?

Answer 1

Because the private key might be compromised you need to re-key the certificate instead of just renew it, e.g. use a new public/private key pair instead of renewing one. Revoking the compromised certificate need to be done too, which may be done automatically if you create the new certificate by the same CA but you should check this with the issuer (CA).

Note, that the revoking process of the current PKI structure in the browsers is bad, e.g. some don't check, some ignore OCSP errors etc. And it is worse outside the browsers (e.g. scripts, mobile apps...). That's why in the last big compromises or wrong behavior of CA (Comodo, DigiNotar, FGC/A ...) you always got a new browser version :(

Answer 2

ONCE you have fixed the problem (upgraded openssl), you can re-key your existing SSL cert.

Re-keying effectively issues a new certificate, and your old cert will be revoked automatically.

The other reason to revoke your certificate is if the information on the certificate (other than your keys) changes. This information is public anyway; it is included in the certificate which is handed out to anyone who connects.

Of course, if they have your private key, any information encrypted with that private key may also have been compromised - you may consider forcing a password change for any users who have logged in in the period in question. Especially administrators.