The other day we needed to purchase a SSL certificate for one of our Heroku apps to ensure all information is transmitted securely. Luckily there is SSL Endpoint, which is a paid add-on service to get your certificate up and running on Heroku. Also, they have a pretty nice guide on how to exactly purchase an certificate and install it on a specific Heroku app. So far so good.

But when they explain how to create a CSR (certificate signing request), they use this command:

openssl req -nodes -new -key server.key -out server.csr
  

Ajj. This creates a CSR with the SHA-1 hash function. For us (and probably for you) this is not secure enough anymore. We want to use the newer and more secure SHA-2. And we set an explicit RSA key size of 4096 bits, since we don’t want to depend on whatever our openssl command might have as a default. Setting it to 2048 bits is also still considered secure nowadays. But you definately don’t want a 1024 bits RSA key anymore!

The following openssl command generates a new 4096-bit private key and a CSR with SHA-2 hash:

openssl req -new -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.csr
  

When answering the signing questions, make sure the The Common Name field matches your secure domain and the Country Name is a two letter code, in ISO 3166-1 format, of the country in which your organization is based. You can now use your 4096-bit server.csr to request your certificate.

Verify your CSR

If you want to read (decode) the contents of your CSR to confirm it’s OK, you can use this command:

openssl req -in server.csr -noout -text
  

Once again, for a detailed instruction on how to use SSL on Heroku check out their SSL Endpoint guide.