I need to purchase an SSL certificate to use through a heroku server and iOS app. What exactly do I need?
Question
I have created an iOS app, and rails server, that communicate with each other back and forth. I am using login capabilities, so I want SSL.
It appears an SSL endpoint on heroku is $20/mo. Adding that seems simple. heroku addons:create ssl:endpoint .
Now, I need to purchase an SSL certificate.
1) Where's the cheapest place I can get an SSL certificate for my needs? There seems to be varying degrees of options. Do I just require the most basic?
2) What exactly do I receive with my purchase? A private key, and the certificate? I'm not too sure exactly what happens though. Is it like this... When the iOS client hits my server, and hits any https link, my server will return the certificate. The iOS app receives the certificate, and send it to a Certificate Authority(CA). The CA will return the certificate along with the public key to the iOS app. The iOS app will then encrypt the data with the public key, and send it back to the server. The server will then use the private key to decrypt the data.
3) Where exactly do I store the private key on my rails server? In my db? In a .secrets file? In the heroku config?
1 answers
solution1
3 ACCPTED 2015-07-04 03:26:32
#1: The SSL certificate you need depends on how many domains you want to secure. If it's jus www.yourdomain.com and yourdomain.com most certs (ie a Comodo PositiveSSL) will do the trick.
In addition:
DNSimple , who won't be the absolute cheapest, can do a lot of the work for you (key generation, CSR generation, and generating the certificate)
I (currently) use Namecheap for single-domain PositiveSSL and/or multi-domain PositiveSSL certs. Relatively cheap, two-factor authentication on their login, their UI is "usable" if not great.
#2: Heroku has an article on how to set up the endpoint once you have a cert: https://devcenter.heroku.com/articles/ssl-endpoint - which shows how to add the signed certificate and private key via heroku certs:add yourcert.crt yourkey.key
#3: Your iOS app should use the NSURLSession method to make calls to your Heroku application remotely. This handles the TLS (SSL) handshake and you don't have to worry about the particulars.
As an additional tip, you can also pin the certificate of your Heroku application in your iOS app. Your iOS app effectively matches its' hardcoded signature against the signature in the certificate of your Heroku app so that it knows it's not just talking to some other HTTPS server.
Hopefully that's clear.
Added IRT comment
Note that when you add the SSL addon, you will get an SSL endpoint - eg sushi-bento-2141.herokussl.com - which already has SSL through Heroku's wildcard certificate. Your app can listen to requests on the non-SSL endpoint morning-evergreen-9385.herokuapp.com and re-direct them (301 permanent). You don't need to buy your own cert for this.
However, it's typically much nicer to have your own domain name (more recognisable for users!), for which you do have to buy a certificate for (as per my answers above).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.