How to install an SSL certificate on Heroku

In order to install a certificate on Heroku, you need to have the following files:

  • Certificate file sent by the Certificate Authority once the certificate is issued. You can also download the certificate from your account. The file usually has the .crt extension.

  • CA bundle file (you can download this together with the certificate, or from this page in our Knowledgebase)

  • Private key file generated together with the CSR (Certificate Signing Request) and usually located on the same server.

It is worth saying that you need to purchase the SSL Endpoint for your application at Heroku, which costs $20/month.

Also, you can have a free certificate installed using the Heroku SSL option.

For this to be done, please use the following command: heroku certs:add example.crt example.key.

After that, DNS settings for each domain should be updated on your app accordingly.

* You also need to use the flag --type sni if your app already has the SSL Endpoint add-on enabled to migrate to the free option.

Note: The reissued or renewed certificate can be updated on the application using the following command: heroku certs:update server.crt server.key

(the server.crt and server.key should be the new certificate and new Key).

In order to install your certificate, feel free to follow such steps:

1. Create SSL Endpoint by running the following command in the terminal of your local environment:

$ heroku addons:create ssl:endpoint

2. Upload the .crt file into the same SSL directory for your application and combine the main certificate and CA bundle into one separate file using the command:

$ cat example.crt bundle.crt > server.crt

3. Import the certificate and private key to the endpoint with the following command:

$ heroku certs:add server.crt server.key

You will see the details of the certificate and hostname assigned to your SSL endpoint in the output:

Adding SSL Endpoint to example… done

example now served by

Certificate details:

Expires on:


Starts at:

Note: It may take up to 30 minutes (or as long as 2 hours, in rare cases) for the endpoint to be created.

4. Once it is done, you need to direct requests for your secured domain to the endpoint hostname. If the domain is not added to the app yet, you can do it with the following command:

$ heroku domains:add

Adding to example… done

To direct requests to the endpoint hostname, create a CNAME record:

Record type        Name                 Target

   CNAME               www

Similar record for Wildcard certificates:

Record type        Name                     Target

   CNAME                *  

Setting a CNAME record for the root domain (@) will overwrite all the other records set up for the domain. For this reason, you’ll need your certificate to cover the subdomain (,, * so that you are able to create a CNAME for the subdomain.

It is possible to use a certificate issued for the bare domain ( ONLY if you use a DNS provider that supplies a CNAME-like functionality at the zone apex.

Once all the mentioned steps are done, the certificate is installed and working via HTTPS.

To check if the certificate was installed correctly, use any of these checkers:



Powered by Zendesk