Changes to TLS certificate for Common Runtime .herokuapp.com hostnames

Change effective on 22 January 2021

On June 1st 2021 Heroku will change the TLS certificate used with the built-in .herokuapp.com domain names for apps on Common Runtime. The certificate is currently issued by DigiCert. On June 1st 2021 it will be replaced with a certificate issued by Starfield/AWS.

The change will not affect clients (like users’ browsers) accessing your app as both certificates are widely trusted. The change will only be noticeable if clients accessing your app (on the .herokuapp.com domain) are pinned to or otherwise expect a certificate issued by DigiCert. Heroku does not guarantee that certificates issued by, or used on, Heroku are issued by a particular certificate authority. Heroku encourages customers to not pin individual certificates used on Heroku and to ensure that devices interacting with Heroku apps have updated root certificate bundles that are compatible with certificates issued by commonly used certificate authorities.

The change will not affect Private Space apps.