With news of the Heartbleed bug, we have been receiving questions as to how this impacts the certification authority (CA) service at Entrust. In summary, Entrust SSL customers do not need to be concerned about the management of their certificates or their certificate management accounts.
The CA private keys are protected on a NIST FIPS 140-2 Level 3 hardware security module (HSM). The CA private keys never leave this hardware and are not exposed to any server using OpenSSL.
The certificate management service also uses implementations of OpenSSL that are not vulnerable to the Heartbleed bug. As such, users do not have to change their passwords and should not be concerned that their private information has been exposed.
Users of products that use OpenSSL — specifically versions 1.0.1 through 1.0.1f — need to upgrade their systems to use OpenSSL 1.0.1g. If you do not know if your Web server is vulnerable to Heartbleed, try the SSL server test from Qualys SSL Labs.
Please note that you may have other systems that also use OpenSSL. Once OpenSSL has been upgraded, then the server owner should consider reissuing their SSL certificate with a new server private key. Server owners should also consider advising their end-users to change their passwords.
Please note that Entrust will support our customers by providing free certificate reissues and free certificate revocations. If you’d like to speak to Entrust Certificate Services directly about OpenSSL, please call 1-866-267-9297 (toll-free within North America) or 1-613-270-2680 (outside of North America), email firstname.lastname@example.org, or submit an online customer support form.