Florian Weimer has published a paper (pdf, txt) showing that a wide variety of purpose built network hardware leaks transport layer security keys when forward secrecy is enabled. The leaks occur due to faulty RSA signatures produced when the RSA software uses an optimization derived from the "Chinese Remainer Theorem" without any further hardening or error checking. The problem with the Chinese Remainer Theorem optimization has been known since 1996 when Arjen Lenstra brought these concerns about faults during RSA signature generation into the literature (pdf, png). Two decades later GNUTLS, PolarSSL and Libgcrypt lack checks for this potential calamity by default, though other software implementations have ways to disable checks. With the affected appliances once the signature flaw occurs the "forward secrecy" key agreement protocol serves as a channel for acquiring the private key.
In this paper Weimer acquires the private keys largely through patience waiting for signature flaws to occur during the TLS handshake, but it is likely a nation state attacker with two decades of public knowledge on Chinese Remainder Theorem optimization actually existing as an implementation flaw may have payloads to trigger the signing flaw with a high success rate. Weimer's survey was too small to be comprehensive and it is safer to assume your network appliances were vulnerable to this key extraction attack until you personally verify they behaved in a way other than this.
This incident one again highlights the importance of knowing which parts of your operation are critical and in which way so that you may implement actual solutions at the right places for your security. Repeatedly it has been shown that off the shelf solutions often keep the same vulnerabilities with the trigger changing just slightly with every new patch. If your security depends on the public facing side of a Citrix load balancer maintaining the secrecy of a private key, there must have been a prior cascade of poor decisions leading to such a poor outcome. Security is not an outcome that a mere appliance can deliver on its own.
Fucking incredilol.
PKI is like BIP : bad by design. All of it. Burn the lot, no attempt to salvage anything.