$ heroku domains:add secure.mysite.com
$ heroku addons:add ssl
Create CSR - https://devcenter.heroku.com/articles/csr
If you go straight to GoDaddy and buy a certificate, it's $70. If you search google for "GoDaddy SSL Certificate" then you find massive discounts.
Now, when you're setting up your certificate in GoDaddy, it will ask you to paste in your CSR (Certificate Signing Request). You created this file in the last step and it's called server.csr. Open it and copy/past the text, which should look similar to this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw
EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l
eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r
uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM
MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv
tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi
PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K
9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXCs35
-----END CERTIFICATE REQUEST-----
Once GoDaddy approves your certificate, download it. They'll let you choose your type of server - choose "Apache". The zip will contain two files: gd_bundle.crt and secure.mysite.com.crt
$ cat secure.mysite.com.crt gd_bundle.crt > combined.crt
$ heroku certs:add combined.crt server.key
Here's the other step that I had to discover. When you add a custom domain to Heroku (step 2) they tell you to create a CNAME record for your domain from "secure.mysite.com" to something like "myappname.heroku.com". But for SSL, you'll want something different like "tokyo-2121.herokussl.com".
To figure out where your SSL CNAME should point, try this Heroku command: $ heroku certs