Installing an SSL certificate on Heroku (paid SSL Endpoint)

Before installing an SSL on Heroku, first make sure you have all the essential files:

Note: The installation process involves purchase of SSL Endpoint for your application at Heroku (Heroku SSL Endpoint is a paid service and costs $20/month, please refer to this article), import of the certificate files, and DNS configuration.

!Please keep in mind that it is possible to have the certificate installed for *free* using the Heroku SSL option. For this to be done, please use the following command: heroku certs:add example.crt example.key
Once done, please update your DNS settings for each domain on your app accordingly.
* You also need to use the flag --type sni if your app already has the SSL Endpoint add-on enabled to migrate to the free option.

Note: If your certificate was reissued or renewed, you can update it on Heroku with the help of the following command: heroku certs:update server.crt server.key
Please make sure to use the new certificate and the new Key.

1. Create SSL Endpoint by running the following command in the terminal of your local environment:

$ heroku addons:create ssl:endpoint

2. Upload the .crt file into the same SSL directory for your application and combine the main certificate and CA bundle into one separate file using the command:

$ cat example.crt bundle.crt > server.crt

3. Import the certificate and private key to the endpoint with the following command:

$ heroku certs:add server.crt server.key

You will see the details of the certificate and the hostname assigned to your SSL endpoint in the output:

Adding SSL Endpoint to example… done
example now served by
Certificate details:
Expires at:
Starts at:

Note: It may take up to 30 minutes (or as long as 2 hours, in rare cases) for the endpoint to be created.

4. When your SSL endpoint is created, it is necessary to direct requests for your secured domain to the endpoint hostname. If you have not added the domain to your app yet, do it now with the following command:

$ heroku domains:add
Adding to example… done

To direct requests to the endpoint hostname create a CNAME record:

Record type        Name                 Target
    CNAME             www

Similar record for WildCard certificates:

Record type        Name                     Target
    CNAME               *

IMPORTANT: Setting a CNAME record for the root domain (@) will overwrite all the other records set up for the domain. For this reason, you’ll need your certificate to cover the subdomain (,, * so that you are able to create a CNAME for the subdomain.

It is possible to use a certificate issued for the bare domain ( ONLY if you use a DNS provider that supplies CNAME-like functionality at the zone apex.

All single domain certificates provided by Namecheap cover both and no matter which of the two you use as the Common Name for your certificate.

That’s it! Your certificate is now configured and you can access the subdomain over https. To check if the certificate was installed correctly, use any of these checkers:

Note: The SSL Endpoint add-on described in this article is only recommended for supporting legacy Heroku applications, or for applications that require custom security policies. Here's the guide for SSL installation using Heroku SSL option.
    39794 times

    Need help? We're always here for you.