1

Amazon AWS sent an email today that users using Elasic Load Balancing (ELB) service with SSL certificates should "Rotate" them for precaution (Heartbleed bug).

How exactly do I rotate an ssl certificate?

AWS Original Message: "The OpenSSL project has recently announced a security vulnerability in OpenSSL (which is used within ELB) affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). While we've mitigated the impact of this issue for the Elastic Load Balancing service, we are writing to you because you have used a custom SSL certificate with one or more of your load balancers. As a precaution, it is our recommendation that you rotate your SSL certificates as soon as possible."

Thanks a lot for the help.

Banzinho

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
Banzinho
  • 11
  • 2
  • 2
    I strongly suspect it's shorthand for "*replace*". Generate a new key, a new CSR, and get it signed to give you a new certificate. – MadHatter Apr 09 '14 at 16:19
  • @MadHatter revoking the old certificate is also an important step, not to be forgotten. – Håkan Lindqvist Apr 09 '14 at 17:01
  • Thanks for the info @MadHatter, that means I'll need to pay for a new certificate then, are you sure there's no way to recreate the private key any other way? – Banzinho Apr 09 '14 at 18:52
  • Yes, I am; if there was an easy way to make a second private key matching a given public key, the whole field of cryptography would be sunk. – MadHatter Apr 09 '14 at 19:01
  • @EstebanEidJordán I don't think you'll have to pay for a brand new cert. Contact your CA if there doesn't seem to be a way to regenerate your private keys via their portal. – Nathan C Apr 09 '14 at 19:04
  • @EstebanEidJordán A reputable CA isn't generally going to charge you for a reissue if you have to revoke. – phoebus Apr 09 '14 at 19:13
  • Thank you @NathanC and MadHatter, as you said, my CA is reissuing the certificates with no charge. – Banzinho Apr 09 '14 at 19:35

2 Answers2

1

I think you should check your OpenSSL version, then update it and finally generate a new SSL certificate.

Take a look at this website, you could find useful pieces of information : http://heartbleed.com/

fallais
  • 216
  • 2
  • 10
  • 1
    "*Checking the OpenSSL version*" doesn't apply, as this relates to AWS ELBs, which are virtual appliances. But the rest I agree with! – MadHatter Apr 09 '14 at 16:40
1

The reason you received the email is because you uploaded an SSL certificate to the load balancer to handler HTTPS connections. The heartbleed exploitation allows an attacker to gain access to arbitrary memory on the host machine (the ELB before it was patched) which means an attacker could have gotten your private certificate information it used to decrypt the HTTPS connections.

For this reason you should rotate (i believe goDaddy calls it rekey) your certificate and upload a new one in the ELB (now that AWS has patched) so that the old is invalidated so nobody can impersonate you if they previously used the exploit. Your new key will be safe in the ELB.

Now - if you also use backend SSL (between the ELB and your hosts) you will need to make sure that the backend hosts are running patched versions of openSSL and the keys used in the backend communication are also rotated. How you do this depends on the OS / Distribution and there are many articles to help secure your systems directly from heartbleed.

Ross
  • 111
  • 3