So you have a multi-tenant application with each tenant needing to serve its own experience over https using its own certificate. Heroku, AWS and other providers make it straightforward for a single SSL certificated but what if you want to serve several tenants each with its own unique certificate? Lets just consider Heroku. Multiple SSL Endpoints and Multiple SSL Certificates in One Heroku Application provide key information on accomplishing this goal. However there are sublteties involved in using the Heroku command line interface that can lead you pointing your domains to the wrong place. As the links indicate to accomplish this on Heroku you will need to have a master application my-prod-app and several stand in empty shell applications for your SSL endpoints. The manipulation of domains and certs within these applications is critical. Lets take one SSL endpoint and follow the process through those final Heroku CLI commands. Our app should respond to requests from We will create an app called my-client-endpoint. We will follow this process that eventually gives us a key and a crt file that was returned by our ssl certificate signing authority. Lets say these files are named mylcient.key and myclient.crt respectively. Incidently when you get the crt file back from the signing authority chances are good you will get back a zip with more than one crt file. These are the primary certificate and any applicable chained certificates. Simply append those files together using cat (example uses contents of zip supplied from GoDaddy):

cat 6abf2aed2e69c650.crt > myclient.crt
cat gd_bundle-g2-g1.crt >> myclient.crt

Now we are ready for the command line. Add the cert with the target of the command being the endpoint application:

heroku certs:add myclient.crt myclient.key --type endpoint --app my-client-endpoint

Lets check that the cert is all good:

heroku certs --app my-client-endpoint

Name           Endpoint                     Common Name(s)                              Expires               Trusted  Type
─────────────  ───────────────────────────  ──────────────────────────────────────────  ────────────────────  ───────  ────────
tokiyama-24531,           2030-05-04 19:03 UTC  True     Endpoint

Now we need to use the endpoint to add the domain in a cli command with the target of the master application:

heroku domains:add --app my-prod-app
heroku domains:add --app my-prod-app

Now lets look at the domains from the perspective of the master application

heroku domains --app my-prod-app
=== my-prod-app Heroku Domain

=== my-prod-app Custom Domains
Domain Name                        DNS Target
─────────────────────────────────  ──────────────────────────────────────────────                

Now all that is left to do is some work for our client, Then need to go do some admin work on their domain provider interface. Namely to add a CNAME record pointing to this target (generated from the add certificate Heroku CLI command). All done.