Changes to TLS certificate for Common Runtime hostnames on June 1, 2021

Change effective on 20 May 2021

On June 1st, 2021, Heroku will change the TLS certificate used with the built-in domain names for apps on Common Runtime. The certificate is currently issued by DigiCert, but it will be replaced with a certificate issued by Starfield/AWS starting June 1st 2021.

The change will not affect clients (like users’ browsers) accessing your app as both certificates are widely trusted. The change will only be noticeable if clients accessing your app (on the domain) are pinned to or otherwise expect a certificate issued by DigiCert. Heroku does not guarantee that certificates issued by, or used on, Heroku are issued by a particular certificate authority. Heroku encourages customers to not pin individual certificates used on Heroku and to ensure that devices interacting with Heroku apps have updated root certificate bundles that are compatible with certificates issued by commonly used certificate authorities.

The change will not affect Private Space apps.