How can I configure multiple SSL certificates for a single app?

Issue

You have a single Heroku app that is available at several different domain names, and you want to be able to provide secure connections (TLS/SSL) to all of those domains.

Resolution

Automatic Certificate Management

ACM will provision certificates for free for up to 100 domains. Please check the known limitations to see if your use case is compatible, but if so this is the cheapest and easiest option for non-wildcard domains.

SAN Certificates

If you haven't purchased a certificate yet, you should consider buying a SAN certificate. This will allow you secure multiple domains with a single certificate. This will work with either Heroku SSL or the SSL Endpoint addon.

Multiple Certificates

If you have to use multiple certificates, you can only do that with the SSL Endpoint addon. Say you want to provide certificates for foo.com and bar.com, but have both domains point to the foo-app Heroku app:

  1. Add the foo.com certificate to the foo-app app with heroku certs:add -a foo-app.
  2. Add the foo.com domain to the foo-app app with heroku domains:add foo.com -a foo-app.
  3. Configure the dns for foo.com to point to the hostname you got from the previous step.
  4. Create a new app called something like bar-certificate, and heroku addons:create ssl:endpoint -a bar-certificate.
  5. Upload the bar.com certificate to the bar-certificate app: heroku certs:add --type endpoint -a bar-certificate.
  6. Configure the DNS for bar.com to point to the SSL endpoint address you got from the previous step.
  7. Now add the bar.com domain to the foo-app app: heroku domains:add bar.com -a foo-app.

This will ensure that requests for bar.com use the proper certificate but end up getting routed to the foo-app application. Unfortunately, this approach isn't currently supported with the new Heroku SSL, so you'll have to use the SSL Endpoint add-on for your extra certificates.

Please note that SSL Endpoint addon is only available for apps on Common Runtime (US or EU region).