We did, internally. We got key extraction in an hour, about the same as Cloudflare---so we save $10k and rotate exposed keys. Since we renew most certs on an annual basis, all our easy-to-rotate certs were flipped months ago. The outliers are weird custom stuff, or two-year EV certs.
You ever try rotating 400 EV certs in a weekend? Neither have most Certificate Authorities. They say security is people, processes, technology. Our tech worked well---but not so well I can't wish it was better. Our people did awesome, stalwart work. But the PKI industry processes are due for some serious reconsideration.
I can't tell you how badly I want TACK or DANE or CT live and working right now.
What would that solve? We already know that it's possible to compromise the private key using this bug. The problem is that no one knows whether attackers have actually done so, since very few organizations will log all the data going in and out of their servers.
You ever try rotating 400 EV certs in a weekend? Neither have most Certificate Authorities. They say security is people, processes, technology. Our tech worked well---but not so well I can't wish it was better. Our people did awesome, stalwart work. But the PKI industry processes are due for some serious reconsideration.
I can't tell you how badly I want TACK or DANE or CT live and working right now.