Assumptions:
- You want to enable SSL for your domain.
- You want to go with RapidSSL.
- Your domain name is www.domain.com during this example.
- You want to encrypt requests for a single domain (no wildcard)
- You want to apply this certificate to Heroku's SSL Endpoint
Enjoy.
First generate the key file for the following reasons:
- Required to generate the Certification Request File (CSR,
csr). - Will have to be uploaded to Heroku later.
openssl genrsa -out www.domain.com.key 2048Now, using that new key we will generate the CSR, we need it for the following reasons:
- Required to request a Certificate File (CRT,
crt)
openssl req -new -key www.domain.com.key -out www.domain.com.csrAs you run this command, you will be asked a few questions. Just provide whatever you want.
HOWEVER, for the Common Name you need to provide the actual domain name you want to create the certificate for. In this case www.domain.com.
While we don't explicitly cover wildcards, if you want to request a wildcard, use *.domain.com as the Common Name.
Example:
Country Name (2 letter code) [AU]: NL
State or Province Name (full name) [Some-State]: NH
Locality Name (eg, city) []: Amsterdam
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 1337Machine
Organizational Unit Name (eg, section) []: Internets
Common Name (eg, YOUR name) []: www.domain.com
Email Address []: me@domain.com
I recommend RapidSSL. It works. Find a vendor that sells them at a reasonable price. The price for a standard SSL certificate is around $10~20/year. Wildcard SSL certificates are generally a lot more expensive, just for your information.
Pro tip: Stay away from GoDaddy.com
I personally get all my certificates at Xolphin.nl but this won't be an option for you unless you're Dutch.
You might want to try one of these:
I have not used either of these, but have a look. If not, Google around and you'll definitely find something. There are a bunch of acceptable resellers out there.
In any case, find a vendor, use your www.domain.com.csr file to request a certificate. Usually they have you paste the contents of the CSR file in to a form.
Just follow the instructions provided by the vendor.
Now that you have your certificate (.crt file), simply use the rapidssl_bundle.pem in this gist, concatenate it to your purchased certificate file
and produce a new file. We'll call that new file www.domain.com.bundled.crt.
Assuming your provided crt file is called www.domain.com.crt, do the following:
cat www.domain.com.crt rapidssl_bundle.pem > www.domain.com.bundled.crtNow you're done setting up your SSL certificate.
Add your custom domain:
heroku domains:add www.domain.comThen add the SSL Endpoint add-on:
heroku addons:add sslFinally, apply your certficate with your www.domain.com.bundled.crt (aka PEM) and www.domain.com.key.
heroku certs:add ./www.domain.com.bundled.crt ./www.domain.com.keyWith this in place, go ahead and run the following command to see what your ssl endpoint is.
heroku certsEndpoint Common Name(s) Expires Trusted
----------------------- ----------------------- --------------------- -------
oita-4922.herokussl.com www.domain.com 2013-06-29 08:14 CEST True
Copy the Endpoint for www.domain.com, open your domain providers control panel and configure the DNS with the following settings:
| Name | Type | Value |
|---|---|---|
| www | CNAME | oita-4922.herokussl.com. |
See that period at the end of the value? Yup.
Also ensure you have your Heroku A records in place while you're at it so it knows what IP's to alias:
| Name | Type | Value |
|---|---|---|
| @ | A | 174.129.212.2 |
| @ | A | 75.101.145.87 |
| @ | A | 75.101.163.44 |
Save it and that should be sufficient. Flush your DNS cache, and otherwise just reboot your local machine (flushing cache never works for me).
Then try to open https://www.domain.com/ - If the changes have already propegated to your located then this should now display your application with SSL in place.
Hi @meskyanichi thanks for this. Do you have a sense for why Heroku charges $20/mo. to facilitate an SSL certificate you're already renting it from another provider? Is it typical for a host to charge a substantial fee for this if they're not providing the actual cert?