[mobiplayer]

This.

The problem is that many people in the industry doesn't really understand the basics. How come is there a leak of your certificate, if that's the public key you're showing to every single client that connects to your SSL enabled site?

I've even seen sysads advising on forums about reissuing certs after Heartbleed, but no word about the keys.

[mikeash]

I think that "no word about the keys" is simply due to a huge gulf in understanding. To the people giving out the advice, it's obvious that "reissue your certificates" implies "with a new private key", so obvious that they can't even imagine someone doing otherwise. It's easy to skip out on the basics that you're sure "everyone knows".

[higherpurpose]

Maybe they should just be advised to use PFS/ECDHE instead (which should be done anyway), and it would solve this problem by itself.

[sdevlin]

That would not solve the problem of active man-in-the-middle attacks.

[mobiplayer]

Yes, even renewing your keys and certs doesn't mean any previous communication is not compromised :)