Generating a CSR for root domain (includes www or not?)
I am trying to set up SSL for the first time. I purchased my domain and SSL certificate from Gandi.net. Their docs say
subdomain.example.com indicates the subdomain that you want to protect. This is the most important part. If you have a single-address certificate to activate, you should put in the full subdomain (e.g. foo.example.com). The www subdomain is added automatically by the CA, for example, example.com will secure both example.com and www.example.com If you have a wildcard certificate, you should put in a * for the subdomain (e.g. *.example.com). Wildcard certificates also secure the raw domain (with no subdomain). - http://wiki.gandi.net/en/ssl/csr
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot purchase a certificate for the root domain, e.g., example.com, and expect to secure www.example.com. The inverse is also true. Additionally, SSL Endpoint only supports one certificate per app. Please keep this in mind for multi-domain applications and specify a Common Domain that matches all required domains. - https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
These seem to conflict. Please advise!
Answer
You'll want to get a certificate from an authority that supports the Subject Alternate Name X.509 extension.
This will let you get a domain with its Common Name set to www.mydomain.com, and an Alternate Name set to mydomain.com(as Lloeki noted, you should provide both names as alternate names).