Hi, Heroku engineer here. We rekeyed our certificates, including the one for *.herokuapp.com, meaning we resent our original certificate requests (CSR) to our CA but signed with new private keys. This is why the dates didn't change.
Our CA will eventually revoke the previous incarnations of our certificates, signed with the old private keys, making them invalid.
Am I missing something, or doesn't the browser have to explicitly check for key revocation? I know the checkbox was off in my version of Chrome. Maybe I set it, but I'm not sure.
This [1] Seems to suggest that Firefox, for instance, only checks for EV certs?
Thanks! It might be reassuring to others who see the same mixed-signals if the official blogpost made specific mention of APPNAME.herokuapp.com HTTPS, and that the certificates may look older but really are fresh.
This is completely the wrong approach. Your private key might have been compromised and you're generating another certificate for the same compromised private key? What is that supposed to do?
We generated new CSRs, with new private keys, but with the same dates and details as the originals. This let us get fresh certs without going through a full renewal.
Our CA will eventually revoke the previous incarnations of our certificates, signed with the old private keys, making them invalid.