Purchase SSL.
I use Comodo PositiveSSL Wildcard from SSLs.
Activate certificate
Generate private key: openssl genrsa -aes256 -out server.pass.key 2048
While you can use a 4096 key on Heroku the max key length on CloudFront is 2048.
Save passphrase to password manager.
Strip away password: openssl rsa -in server.pass.key -out server.key
Generate CSR: openssl req -nodes -new -key server.key -out server.csr
FQDN: *.example.org
Challenge password: only digits and letters
Save challenge password to password manager
Enter CSR at SSL reseller: cat server.csr|pbcopy
Approve via link in received email.
Receive certificate by email
Comodo:
Unzip
RapidSSL:
Save webserver.crt: pbpaste > webserver.crt
Save intermediate: pbpaste > intermediate_ca.crt
Create SSL certificate
Comodo:
cp STAR_example_org.ca-bundle bundle.crt
cat STAR_example_org.crt bundle.crt > ssl.crt
RapidSSL:
cp webserver.crt ssl.crt
cat intermediate_ca.crt >> ssl.crt
Verify cert is generated correctly: openssl x509 -in ssl.crt -text -noout
Update Heroku certificate
heroku certs:update ssl.crt server.key -a your-app
Create new CloudFront certificate
aws iam upload-server-certificate --server-certificate-name new_star.example.org --certificate-body file://STAR_example_org.crt --private-key file://server.key --certificate-chain file://bundle.crt --path /cloudfront/
Update references from CloudFront distributions to new CloudFront certificate
Delete old CloudFront certificate
aws iam delete-server-certificate --server-certificate-name star.example.org
Rename new CloudFront certificate
aws iam update-server-certificate --server-certificate-name new_star.example.org --new-server-certificate-name star.example.org
Delete certificate emails.
Save all files to password manager and delete them on disk.