Renewing SSL certificate on Heroku

Question

Our existing SSL certificate is about to expire, and so we're trying to install a new one. However, the instructions on Heroku are lacking...

Creating the bundle

To create the bundle, you're supposed to concatenate a bunch of intermediate cert files together in the correct order. Example on Heroku:

$ cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > bundle.pem

(https://devcenter.heroku.com/articles/ssl-certificate-dnsimple)

We received a different set of files:

• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt
• (www_our_domain).crt

How should they be concatenated? Is this correct?:

$ cat (www_our_domain).crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle.pem

Adding the certs

I'm assuming we don't need to provision another SSL endpoint, we just update the one we have...

$ heroku certs:add server.crt server.key bundle.pem

(https://devcenter.heroku.com/articles/ssl-endpoint#provision-the-add-on)

But unclear to me what happens to the old certs the add on was originally provisioned with? Are they over-written? Do they need to be removed?

Answer 1

How should they be concatenated? Is this correct?:

If you supply the 3 files server.crt server.key bundle.pem, you can skip (www_our_domain).crt in the bundle. Otherwise, simply supply a server.crt and a server.key

$ cat (www_our_domain).crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > server.crt

I'm assuming we don't need to provision another SSL endpoint, we just update the one we have...

To update a certificate use heroku certs:update, not heroku certs:add. See the official docs.

Answer 2

Heroku's GUI interface is now updated to allow you to update the SSL certificate.

From Heroku -- Settings -- Copy and paste the text in your .crt file, paste in your private key and you are done.