Server certificates and Heartbleed
Cloudflare, a large web-hosting company, has a very detailed article on how server certificates are not (in the real world) extractable using the Heartbleed bug:
They set up a test server and challenged anybody to obtain the private key. One person succeeded by exploiting Heartbleed immediately after the test server was rebooted.
Still, because of the way memory is allocated and accessed, even with Apache, their conclusion is that the probability of a successful extraction is very low.