New TLS certificate for hostnames

Change effective on 10 June 2020

On Tuesday June 9th 2020 Heroku changed the certificate used for terminating TLS for built-in <appname> hostnames from a certificate issued by DigiCert to one issued by Starfield/AWS. This change was rolled back on June 10th because a small subset of Heroku customers had pinned apps to the DigiCert certificate or had apps that could not establish a chain of trust with the new certificate for other reasons.

A new DigiCert-signed certificate will replace the current one before June 22nd (when it expires).

Heroku does not guarantee that certificates issued by, or used on, Heroku are issued by a particular certificate authority and we plan to migrate to Starfield/AWS issued certificates in the future. Heroku encourages customers to not pin individual certificates used on Heroku and to ensure that devices interacting with Heroku apps have updated root certificate bundles that are compatible with certificates issued by commonly used certificate authorities.