If my understanding is correct the Heartbleed vulnerability affects any server running OpenSSL. Does this mean that root CAs need to update their root CA Certs? Should I be doing that manually somehow?
Heartbleed affects servers terminating TLS connections using certain versions of OpenSSL. It doesn't impact certificate operations a CA would be doing, and CA root certificates are kept far, far away from front end web servers that might run TLS. Usually in something like this: http://en.wikipedia.org/wiki/Hardware_security_module
