4

With regards to the openSSL heartbleed issue and resolution, should I revoke OR re-key my existing SSL cert?

jww
  • 97,681
  • 90
  • 411
  • 885
Dandan
  • 650
  • 1
  • 10
  • 17
  • 3
    This question appears to be off-topic because it is about software versions, administration and patching. Server Fault has quite a few questions on the topic: https://serverfault.com/questions/tagged/heartbleed. – jww Apr 09 '14 at 11:09
  • From the PKI point of view, there is no such thing as 'rekeying an existing certificate'. There may be from the commercial point of view: maybe you don't have to pay your CA again. The result of a new key is a new CSR and a new signed certificate. – user207421 Apr 13 '14 at 00:28

2 Answers2

7

Because the private key might be compromised you need to re-key the certificate instead of just renew it, e.g. use a new public/private key pair instead of renewing one. Revoking the compromised certificate need to be done too, which may be done automatically if you create the new certificate by the same CA but you should check this with the issuer (CA).

Note, that the revoking process of the current PKI structure in the browsers is bad, e.g. some don't check, some ignore OCSP errors etc. And it is worse outside the browsers (e.g. scripts, mobile apps...). That's why in the last big compromises or wrong behavior of CA (Comodo, DigiNotar, FGC/A ...) you always got a new browser version :(

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • "Note, that the revoking process of the current PKI structure in the browsers is bad, e.g. some don't check, some ignore OCSP errors etc": +1. Its the reason to use certificates with 14 or 30 day lifetimes. It keeps the CRLs minimized, and it naturally expires any problems. – jww Apr 13 '14 at 15:23
3

ONCE you have fixed the problem (upgraded openssl), you can re-key your existing SSL cert.

Re-keying effectively issues a new certificate, and your old cert will be revoked automatically.

The other reason to revoke your certificate is if the information on the certificate (other than your keys) changes. This information is public anyway; it is included in the certificate which is handed out to anyone who connects.

Of course, if they have your private key, any information encrypted with that private key may also have been compromised - you may consider forcing a password change for any users who have logged in in the period in question. Especially administrators.

user207421
  • 305,947
  • 44
  • 307
  • 483
AMADANON Inc.
  • 5,753
  • 21
  • 31
  • 3
    You don't consider private key compromise a reason to revoke? – user207421 Apr 09 '14 at 00:03
  • 1
    "Re-keying effectively issues a new certificate, and your old cert will be revoked automatically". That is, according to http://support.godaddy.com/help/article/4976/rekeying-an-ssl-certificate – AMADANON Inc. Apr 09 '14 at 00:18
  • 2
    That's not what I asked. Your answer states 'the only reason to revoke the certificate' and explicitly excludes the keys from it. It's not correct. At best it is highly misleading. – user207421 Apr 09 '14 at 01:44
  • 1
    Let me make it clear then: Certificate revocation is essential. Re-keying does do certification revocation. – AMADANON Inc. Apr 09 '14 at 20:18
  • 4
    The idea is to make it clear *in your answer.* I helped you. – user207421 Apr 10 '14 at 00:29
  • 1
    @AMADANONInc. That Godaddy page does not actually contain the quoted text (I don't know if they have changed it?). They refer to "deactivating" it, whatever that actually means. Them not outright stating that it revokes the existing certificate makes it less clear if it's an acceptable option. – Håkan Lindqvist Apr 10 '14 at 17:08
  • That quote was pointing to my post. Here is the quote from GoDadday: "NOTE: We automatically deactivate the previous certificate when we issue the new, re-keyed certificate. Do not revoke unless you are certain you want to cancel the existing certificate." – AMADANON Inc. Apr 14 '14 at 22:45