How can I check if certificates generated with openssl are vulnerable to heartbleed
I am aware that you can show the version of openssl you are using by typing the following at the command line "openssl version".
I created a certificate and a key some time ago with similar names to server.cer and server.key.
The problem I have is that I am not sure what version of openssl they have been created with. Is there command you can use to find what version of openssl they were created with ? Do the certificates and keys store this information.
I am trying to confirm if they are vulnerable to the openssl heartbleed security issue.
Solution 1:
A certificate isn't vulnerable, or otherwise, to heartbleed. A certificate is just a certificate. There have been crypto issues in the past, particularly with respect to the RNG of choice, that caused weak keys (and thus vulnerable certificates) to be created, but heartbleed isn't a vulnerability of that type.
A key/certificate pair can have been compromised by heartbleed, irrespective of the version of OpenSSL with which it was created or even if it was created by a completely different SSL implementation, if it was used on a server that offered TLS services to the public using a vulnerable version of OpenSSL.
If it was not so used, it cannot have been compromised by heartbleed, even if it was created on a server that at that time was running a vulnerable version of OpenSSL.
(Now for the life's-more-complicated-than-you-would-like bit: if you created the key/certificate pair (or key/CSR pair) on a server and that server was at that time running a vulnerable version of OpenSSL and you were connected to that server by a method vulnerable to exploit (eg OpenVPN, but not OpenSSH) and you exposed the contents of the created keyfile to the connection stream, eg by cat'ing the file or by copying it over the connection, then it is possible that the certificate could have been compromised. But that's still not a vulnerability in the certificate as such, and it's not detectable by examination of the certificate (or any other way, as far as I am aware).