-1

I have a question regarding the Heartbleed problem and the SSL certificates. About Heartbleed many people say that admins should revoke their certificates and get new ones. I got my SSL certs from Startcom and as you may know they charge for revoking. I am very angry about that but know my question(s): - Is it possible to just switch from Startcom to another provider like Comodo, get new certs and change the certs on my server? - Could be there any problems with the old certs if they are not being revoked? - Is it possible to "block" these old certs on my server (Ubuntu 12.04)?

I don't think that my certs have been compromised but this is a serious topic for me.

Thanks in advance for your ideas and comments.

Kevin
  • 1,633
  • 1
  • 22
  • 37
  • 2
    This question is not a programming question within the scope defined in the [help] –  Apr 18 '14 at 05:50
  • Where should I post this question? – Kevin Apr 18 '14 at 05:52
  • "I got my SSL certs from Startcom and as you may know they charge for revoking. I am very angry about that..." - You should not be angry with Startcom. They charge for revocation because that's where the costs lie (costs *do not* lie in issuing certificates). You should be angry with others in the CA Zoo for charging you when there's no need. Why would you do business with a CA that scams you? – jww Apr 18 '14 at 07:59

2 Answers2

1

They charge for revoking

So? Presumably you knew that when you entered into the contract. They're entitled to charge for their services.

Is it possible to just switch from Startcom to another provider like Comodo, get new certs and change the certs on my server?

Sure, why not? Just pay them the money, whatever they want. Make sure to re-key. You have to assume that your private key has been compromised.

Could be there any problems with the old certs if they are not being revoked?

If you keep using them you can no longer assume your site is being identified uniquely by them, because of the possible private key leakage. Stop using them, delete them from your server, delete the private key too. Start again.

Is it possible to "block" these old certs on my server (Ubuntu 12.04)?

Just stop using them. Delete them from your server.

If anybody else presents them to your server as their own, that's another issue, and definite proof of both private key leakage and criminal impersonation, so for that purpose you might want to keep your private key and certs archived somewhere, add them to your revoked client certificate list, whatever facilities your server provides.

But I would formally revoke them. Pay the money. It's not something you want to skimp on.

user207421
  • 305,947
  • 44
  • 307
  • 483
1

The vulnerability from switching certificates but failing to revoke the old certificates is that someone else who got your private key through the heartbleed bug could impersonate your server by presenting your old certificate on their server, for example in a man-in-the-middle attack. It's up to you if you want to take that chance, but I would recommend revoking the old certificate.

Warren Dew
  • 8,790
  • 3
  • 30
  • 44