Buy yourself a “RapidSSL Certificate” at SSL Renewals. After you place your order, they may not send you an email, so log in and go to “Orders” and look for the “Generate” button
You must have access to admin@ your domain to proceed. They will send an email to verify your domain.
Generate a private key and CSR on your computer. (see instructions for mac OS or Windows)
Submit the .crt file, or certificate signing request, to SSL Nenewals. select for Web Server “Apache + MOD SSL”. Copy & paste the crt file into text box.
Use DNS authentication. It is easiest. You will need to set a TXT record on your domain name.
For “Please select the Secure Hashing Algorithm (SHA) you would like to use.” choose “SHA2-FULL-CHAIN”
Follow the instructions to create a TXT file. For the apex (root) domain, it should have no subdomain (leave blank). For a subdomain, it will instruct you to create a “domain” for a special content string.
The string is provided in what SSLRenewals calls “Alias Name”. Copy & paste this into into the “content” setting of your new TXT record (do this in your DNS manager)
At the end of the process, go to the SSL Renewals tab, find your order, and find the “Download Certificates” button. You will receive a folder called Certs-12345678
In it there will be several files:
You want to open in a text editor these three files: CACertificate-INTERMEDIATE.cer, CACertificate-ROOT.cer, ServerCertificate.cer
create a new file that contains the concatenated version of these three files, in this order:
Name your new file “-CHAINED” to distinguish it from the others.
Log into the Heroku web interface. Make sure you have deployed at least once.
On the command line, remove the automatically added Heroku SSL using
heroku certs:remove -a your-app-name
heroku certs -a your-app-name
Back in the Heroku web interface, go to Settings > Configure SSL.
On the first screen, the “public certificate” is the new concatenated file you created. On the second screen the “private key” is the key you generated when you created the key & CSR.
(Reminder: never share your private key except with your web server provider.)