People who manage (paid for) SSL certs (for web servers, etc), don't make the same mistake I just did.
It was renewal time and I did what I always do: blindly hit renew on my cert provider/reseller control panel. I get the cert, install into apache, restart, then boom:
[ssl:emerg] [pid 11648] AH02565: Certificate and private key mydomain.blah:443:0 from /etc/pki/tls/certs/mycert.crt and /etc/pki/tls/private/mykey.key do not match AH00016: Configuration Failed
After a very brief WTF moment, it dawned on me: "heartbleed". I regen'd my CSR/key and got a reissued cert a few months back. That is done direct with the vendor (Thawte), and *not* through my reseller (OpenSRS). So Thawte had my new CSR, but OpenSRS still had my old CSR on file (the one with the possibly-compromised heartbleed key) and that is the CSR they sent to Thawte when I renewed! Doh!
So I had to make yet a new CSR/key, and have Thawte reissue a new cert, and then revoke the cert I (didn't) use for all of 5 seconds. Blah, there goes half an hour. I verified this is indeed what was happening with some openssl -modulus command line magic.
I've written to notify OpenSRS they should put up a warning on the renewal page. This doubly sucks because OpenSRS *still* will have cached the revoked/compromised CSR and if I forget *next* year to paste a new CSR in, I'll be doing the exact same thing!
Maybe the moral of the story is: always regen a new CSR everytime you renew. An extra 2 mins, and remembering some cryptic openssl commands, but not the end of the world, but still a pain vs. just hitting "renew". Maybe everyone else already does this and I wasn't following "best practices", but don't we all like to keep things simple when we can?
Exercise for the curious/pedantic/strange people who read this far: Is there a way SRS or Thawte could have prevented this? Perhaps by linking the CSR used to make a revoked cert and disallowing renewals based on it? Or perhaps SRS needs an API with Thawte whereby you reissue via SRS, not Thawte, or Thawte needs to pass back the last-used-CSR to SRS so it can replace the stale cached copy.