After a battle with SSL and Heroku last night, I thought it wise to shared some hang-ups others might encounter.
Heroku has some decent documentation. If you need to purchase an SSL certificate, go here, which explains purchasing through DNSimple, then go here which tells you how to add your new certificate to Heroku. Heroku has recently changed their default way of doing SSL to Endpoint-based SSL. They’re deprecating nearly every other method in favor of this one, which behaves a bit more rationally. If you’re on Hostname-based, switching over to Endpoint is a synch.
Heroku’s “Prepare Certificate” section in the first link tells you to download the rapidSSL .pem intermediate certificates and add them to your public certificate. While this is great and all, it’s not enough and will raise security warnings on all versions of Firefox <= 11 (which is quite recent). I believe the rapidSSL certs only apply to domain-specific SSL certificates, not wildcard certificates. After you purchase your certificate, Comodo will send you a zip with 4 files, your public certificate, some intermediate certificates, and the root CA certificate (perhaps most important of all!). Follow this blog post from here on out, and you will be in good shape.
Heroku sends you your *.herokussl.com endpoint after you add certificates, not after you add the add-on. While their documentation, read carefully, says this, I still got confused why we never received an email about it after adding the add-on.