Skip to content

Instantly share code, notes, and snippets.

@imderek

imderek/heroku-godaddy-ssl.md

Forked from shripadk/gist:552554
Last active December 12, 2015 02:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save imderek/4701711 to your computer and use it in GitHub Desktop.
Save imderek/4701711 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
heroku-godaddy-ssl.md

Getting a GoDaddy SSL Certificate (Part I)

Creating a Certificate Signing Request (CSR)

Note: To create an SSL certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA) (i.e. GoDaddy). The CSR contains your certificate-application information, including your public key. The CSR will also create your public/private key pair used for encrypting and decrypting secure transactions.

These instructions are based on my experience using a Mac OS X laptop. The following probably won't work if you are not working from a unix-based system (i.e. Mac OS X / Ubuntu Linux / etc.).

Steps to create a CSR:

Make a new directory to hold your project's SSL-related stuff. It doesn't really matter where you put this, but I recommend not putting it in your rails project (i.e. alongside app, config, db, etc.), as it will get included in your git repository if you do. Rather, I put it in a folder that is one level above my rails project.

Use OpenSSL to generate an RSA host key ('host.key') using the triple DES encryption, with a 2,048-bit key length (as required by GoDaddy). Triple DES is just DES times three, but is more secure against brute force attacks because of its longer length.

openssl genrsa -des3 -out host.key 2048

It will ask you for a pass phrase. This should be a secret password. Don't forget the pass phrase you set, as we will need it later.

Use OpenSSL to generate a new self-signed certificate ('host.csr') using the host key we just created. This is what you'll be sending to GoDaddy to model your new SSL after.

openssl req -new -key host.key -out host.csr

You will be prompted with a bunch of questions. Answer all of them, except the last two 'extra' attributes are optional. Here are example responses:

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:California

Locality Name (eg, city) []:San Francisco

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Name

Organizational Unit Name (eg, section) []:secure.yourdomain.com

Common Name (eg, YOUR name) []:secure.yourdomain.com

Email Address []:contact@yourdomain.com

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

It is very important you don't mistype anything here, as you can't change this information without buying a new SSL certificate. 'Organizational Unit Name' and 'Common Name' must be the hostname you are using on Heroku. I highly recommend using the 'secure.yourdomain.com' host, as you will need to set a separate CNAME DNS record to route your secure traffic.

Getting a GoDaddy's SSL Certificate (Part II)

Return to where we left off with GoDaddy. You should have clicked 'Request Certificate' and see a form where you need to answer the following questions:

Where is your certificate going to be hosted? Third Party

Enter your Certificate Signing Request (CSR) below: [copy contents of 'host.csr' here]

Select your certificate issuing organization: GoDaddy

Is this certificate for Intel vPro? No

Verify everything and then click through to finish. You should now be able to view and download your GoDaddy SSL certificate from GoDaddy from the 'Manage Certificates' section.

Prepare SSL Certificate for Heroku

Download your new SSL certificate from GoDaddy's website into your 'ssl-cert' directory that we created in step I. You will get two files from GoDaddy: 'secure.yourdomain.com.crt' and 'gd_bundle.crt'. 'secure.yourdomain.com.crt' is your new SSL certificate. 'gd_bundle.crt' contains the SSL issuing certificate chain back to the root SSL certificate.

Combine 'secure.yourdomain.com.crt' and 'host.key':

cat secure.yourdomain.com.crt host.key > host.pem

Remove pass phrase from the public key certificate (required by Heroku)

openssl rsa -in host.pem -out nopassphrase.pem

openssl x509 -in host.pem >> nopassphrase.pem

You will be asked for the pass phrase you set in step I. I told you to remember it!

Open 'nopassphrase.pem' in a text editor and delete the 'private key' section:

-----BEGIN RSA PRIVATE KEY-----

...

-----END RSA PRIVATE KEY-----

Combine 'gd_bundle.crt' and 'nopassphrase.pem':

cat nopassphrase.pem gd_bundle.crt > public.pem

'gd_bundle.crt' is a chain file that links your certificate to a original trusted host certificate that GoDaddy owns.

Remove pass phrase from the private key certificate (required by Heroku)

openssl rsa -in host.key -out private.key

Yet again, you will be asked for the pass phrase you set in step I.

You might be asking yourself: What do all of these file extensions mean? Well, here you go:

*.csr -- Certificate Signing Request used for submission to signing authorities that issue SSL certificates

*.crt -- Public key of a certificate (same as a *.pem file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.

*.pem -- Public key of a certificate (same as a *.crt file, but with different extension). May include a chain of certificates back to the host certificate. This is what you'll get from GoDaddy when you download a purchased certificate.

*.key -- Private key of a certificate

Add SSL Certificate to Heroku

Go to the root of your Heroku project folder and add the nopassphrase pem and key to Heroku:

heroku certs:add /path/to/ssl-cert/public.pem /path/to/ssl-cert/private.key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment