- It’s where the keys are generated that matters – not where the keys are used. So if you generated a certificate using the affected Debian platform, you’re affected, even the certificate is used on a Windows platform, or some other Unix.
- If the certificate was signed by your private CA, just follow your own standard replacement procedure. If the certificate was signed by a public CA, you’ll need to go through their certificate replacement procedure. It’s encouraging that public CAs are taking a constructive attitude to this problem (see Verisign’s press release, and Thawte’s reissue policy, for example).
- Don’t forget to install the replacement certificate on all machines that need it (for example, if it is a wildcard certificate).
If you think you might be affected by this problem, don’t ignore it. Grasping for a silver lining – at least you can treat this as a fire drill for a nastier occasion, like your certificate being stolen.