0

In response to the Heartbleed news, I have upgraded OpenSSL on my production server and am now trying to reissue the SSL certificate. I am using a PositiveSSL Wildcard certificate on an Amazon ELB.

I have followed the below instructions to reissue my certificate via Namecheap: https://www.namecheap.com/support/knowledgebase/article.aspx/811

And have also added the new certificate credentials to my ELB: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html

However, after doing this twice, the Heartbleed testing tools I'm using (http://possible.lv/tools/hb/, https://lastpass.com/heartbleed/) recognize that the upgrade has been made but continue to say that my certificate has not been re-issued and I may still be at risk.

Is there any additional work that needs to be done to make sure the reissued certificate is recognized? I have tried deleting the original ELB and creating a new one from scratch with the new certificate, but no luck. I have noticed that the file modified date on the re-issued certificate file sent to me by Comodo has not changed from the date I purchased the certificate.

Thanks in advance.

Hakan B.
  • 185
  • 1
  • 1
  • 8
  • Are you sure you generated a new private key and CSR? – Michael Hampton Apr 09 '14 at 16:39
  • Yes, although I'm obviously missing something. Quick thought -- is the date of reissuance for an SSL cert public information? I can't seem to figure out what metric they're using to tell me the certs haven't been reissued. Would the expiration dates change? – Hakan B. Apr 09 '14 at 20:27
  • Depends on your issuer. They could make it say whatever they want... – Michael Hampton Apr 09 '14 at 20:30
  • OK, thanks for your help. I have definitely followed the reissue process in the above links -- Comodo is the issuer via Namecheap. Really not sure where to go from here. – Hakan B. Apr 09 '14 at 20:40
  • 1
    It's probably Namecheap's fault. See [here](http://serverfault.com/a/587891/126632) and contact the issuer directly, bypassing them. – Michael Hampton Apr 09 '14 at 20:41
  • As a follow up -- Comodo insists the reissued certificates are correct and the testing tools I've been using are incorrect. We compared the modulus of the private key I generated and the newly signed certificate and they were equal, so I guess it's somewhere on the testing side. – Hakan B. Apr 09 '14 at 21:35

1 Answers1

1

This was my mistake. I misinterpreted the testing tool results. I confirmed this with the creator of the possible.lv tool, who has since revised the results for clarity.

Hakan B.
  • 185
  • 1
  • 1
  • 8