It's not a decision. If you were running a vulnerable version for any amount of time then revoking and reissuing keys and Certs after you patch is the only way to ensure someone doesn't have your private key material. 

You must patch, revoke  AND reissue. 
If you are a public site and don't do this then you are placing your future client data at risk. 

On Wednesday, April 9, 2014, Steve Holdoway <steve@greengecko.co.nz> wrote:
On Wed, 2014-04-09 at 13:21 +1200, Dean Pemberton wrote:

[snip]

http://filippo.io/Heartbleed provides a quick and dirty tester, if you
want to optimize ssl usage, then https://www.ssllabs.com/ssltest is far
more thorough.

Most of my sites are CentOS 6 or Amazon linux. With both of these, a

yum update openssl\*

followed by restarting your web server implements the fix.

You still have the decision as to whether to revoke and replace the
current cert though...


Steve
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog