Adding a certificate chain to Heroku

SSL endpoint on Heroku rocks.  However, sometimes your certificates (like ones from PositiveSSL) need additional certificates to establish the chain of trust.

In my case, I have a Wildcard cert from PositiveSSL.

$ heroku certs:add STAR_mydomain_com.crt mykey.key  --app myapp
Adding SSL endpoint to myapp... done
geospike-production-endpoint now served by aichi-1111.herokussl.com
Certificate details:
    subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.mydomain.com
    start date: 2012-05-15 08:00:00 CST
    expire date: 2013-05-16 07:59:59 CST
    common name(s): *.mydomain.com, mydomain.com
    issuer: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.mydomain.com
    SSL certificate is self signed.

Notice that it says SSL certificate is self signed..

Adding the CA certificate in the same way doesn’t work, Heroku insists on a single certificate.

What you need to do is bundle all the certificates into one file and give that to Heroku. Importantly, your site’s certificate must be the first one. Here’s how I did that:

$ cat STAR_mydomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > STAR_mydomain_com_bundle.crt 

Remember: put your cert first in the cat command. I ordered the remaining certificates in reverse order of the chain of trust, not sure if that is necessary but it can’t hurt I guess.

Now when I update it on Heroku, it shows as trusted:

$ heroku certs:update STAR_mydomain_com_bundle.crt mykey.key --app myapp
Updating SSL endpoint aichi-1111.herokussl.com for myapp... done
Updated certificate details:
    subject: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.mydomain.com
    start date: 2012-05-15 08:00:00 CST
    expire date: 2013-05-16 07:59:59 CST
    common name(s): *.mydomain.com, mydomain.com
    issuer: /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.mydomain.com
    SSL certificate is verified by a root authority.

4 comments on “Adding a certificate chain to Heroku

  1. I’m a little confused as to exactly how much obfuscation you’ve applied to these details. I.e. are the issuer and subject really the same?

  2. Hey Rhys,

    All I did was find/replace my domain name with “mydomain”, and change the heroku endpoint name. The issuer and subject fields are indeed the same in my original logs.. Is that not expected?

    Will

  3. Thanks for this. I got the orders of the certs wrong when combining them, this helped.

Leave a Reply

Your email address will not be published. Required fields are marked *