So here's the deal, you want to use SSL to transport some data that wouldn't make too many people happy if they knew it was in plaintext, but you don't need all the fancy seals and all that. Why? Because it's an iPhone app, not a bank website. In iPhone apps, what you really want is to secure the data, you don't really care for the vain side of showing how secure it all is. FanPulse follows high quality products with the same notion that apps, especially ours, always maintain the best security for your information. No need to flaunt this fact, it's a standard, it must be done.
The issue that we came about was that we went with a provider who seemed pretty good for domain management, and has some awesome customer support representatives. So we tried out GoDaddy. Bad idea! This 10 minute procedure of setting everything up on Heroku ended up taking an entire night because GoDaddy has some really deeply chained certificates. What this means is, the certificates work only with Windows machines and browsers, not your iPhone, nor your Safari.
Sure there are ways around it, including this one which is actually one of the cleaner ways of doing it. But one day when you move off of that server, or you're simply on a cloud solution like Heroku, it's not that easy nor clean. Simply put, don't use GoDaddy. Now we have to get a refund, which doesn't include a $15 "admin" fee. really, what did you guys do that was $15 worth? I spent more hours that cost way more messing around with your cert!
I tried out RapidSSL.com's free trial package, which is fully functional, and free for 30 days. It's fast, not chained, worked right out of the box, and within 5 minutes it all worked, even on Heroku. So screw trying to go with GoDaddy, no matter how attractive Danica Patrick is, and go with an unchained SSL Cert with someone like rapidssl.com.
To get started with this whole SSL Cert thing, you'll need a Certificate Signing Request (CSR). Follow the instructions on this awesome post here to get your CSR. Once you submit that to the Certificate Authority (ie rapidssl which actually sends it off to geotrust), it will go through a few verification steps, including sending an email to the person who registered the domain (rapidssl actually lets you choose amongst a few choices), and calling your phone number with an automated recording, asking for a confirmation code. Once that's all done, you click a few more approve buttons and you get an email with your cert. Finish off the last few steps in the post I just linked to in order to generate your .pem.
Now here's the Heroku part. I would highly suggest using SNI_ssl, and their SNI_ssl addon. it's the cleanest way to do it in a cloud instance. If for some reason you want to support Internet Explorer and continue to allow people to torture them selves in the world's worst browser ever, you'll want to do the whole custom ssl thing. BUT, if you're following this post because you have an iPhone app that needs to talk securely to your Heroku backend, just go with SNI:
heroku addons:add sni_ssl
Before you can install your cert onto Heroku, you have to remove the password from your key:
openssl rsa -in fanpulse.key -out fanpulse_nopw.key
I used the fanpulse.key file as an example of the key we generated, replace that with your own. Once you have this non-password protected key, install it onto Heroku:
heroku ssl:add cert.pem fanpulse_nopw.key
There's a tiny bit of lag, so wait a little (a minute or two) and then check your site with https://blah and from your iPhone app / simulator. It should be dandy at that point.
Lastly, the picture of the key above is a picture I took on Alcatraz Island in the San Francisco Bay =)
