SSL, Github, and Heroku -- is pushing secure?

Question

I just bought an SSL certificate for my Heroku-deployed app. Following their instructions, I downloaded the certificate and private key, saved them in server.crt and server.key files (with some RapidSSL CA deal thrown in there), and am now planning on pushing and deploying. The worry is, my github repo is public, and I feel like it's a bad idea to push my "private" keys and certificates to a public site. Sort of defeats the purpose of the SSL, right?

But how else do I get it to work without publishing this info? I'm new to SSL and coding, and I just very much do not want to throw away the security I just spent good money on because I don't understand how this all works.

Sorry if this question wasn't very code-y. Just didn't know where better to ask.

EDIT -- I'm looking at Heroku docs right now that say to add a Heroku SSL Add-On, and then just type

heroku certs:add server.crt server.key

to get heroku to pick up on the files and use the SSL Certificate. But that doesn't change the problem that I have two files in my PUBLIC repo with PRIVATE security info. Do I just add them to .gitignore or something?

Answer 1

Heroku does not require you to push those two files to your repository. You can simply do heroku certs, and it will pick and upload them from your local folder. The repo isn't involved.

Answer 2

You should not check any of the files that you created for the SSL into the source control (server.crt, server.key, etc.), nor push them to Heroku. As Heroku's documentation states, you should use the certs command line to add them once you have an SSL add on.