If you have a web site with an SSL certificate then you are probably affected by the Heartbleed vulnerability which popped into general visibility. If your server is vulnerable, you need to do two things:
- Update openssl
- Replace your SSL certificate (since you have to assume that the certificate’s private key has been stolen).
Anyone in possession of your private key can a) impersonate your web site; and b) decrypt all past, present, and future traffic.
One little piece of the recovery is replacing the default certificate for your control panel. If you only have one server then clicking around in the control panel is OK. But if you have a lot of servers, that will quickly drive you bonkers.
Here is a shell script which will replace the default SSL certificate for Parallels Plesk Panel. The new certificate will be valid for 1095 days (three years). It will then use the new SSL certificate to secure the Plesk Panel itself.
# replace the default Plesk SSL cert and use the new cert to secure Plesk Panel itself
# YourCountry = US or whatever 2-character ISO code
# YourState = your state or province spelled out
# YourEmailAddress = [email protected]
if [ -d /etc/psa ]
openssl genrsa 2048 > privkey.pem
openssl req -new -x509 -batch \
-subj "/C=YourCountry/ST=YourState/L=YourCity/O=YourCompany/CN=$(hostname)/emailAddress=YourEmailAddress" \
-key privkey.pem -out cert.pem -days 1095
/usr/local/psa/bin/certificate --create default-$(date +%Y-%m-%d) \
-admin -default -key-file privkey.pem \
cat cert.pem privkey.pem > /opt/psa/admin/conf/httpsd.pem
service sw-cp-server restart
rm privkey.pem cert.pem
I have tested this on Ubuntu 12.04LTS with Parallels Plesk Panel 11.5 and 11.0.