How do I securely store a .pem file when working with git-tracked heroku project?

Question

I've got a git-tracked repo and am setting it up to work with APN for IOS push notifications. I'm looking at implementing the npm module node-apn in a similar way as PushNotificationSample

In this code, there is

var options = {
    gateway: 'gateway.sandbox.push.apple.com', // this URL is different for Apple's Production Servers and changes when you go to production
    errorCallback: callback,
    cert: 'your-cert.pem', // ** NEED TO SET TO YOURS - see this tutorial - http://www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
    key:  'your-key.pem',  // ** NEED TO SET TO YOURS
    passphrase: 'your-pw', // ** NEED TO SET TO YOURS
    port: 2195,                       
    enhanced: true,                   
    cacheLength: 100                  
}

However, how am I meant to reference my .pem files without committing them to Github?

At the moment, I'm deploying to Heroku.

Answer 1

Do this via Heroku's (environment) config variables.

If you're using node-apn or something similar, you should be able to pass in the certificate and key content instead of a path. Use ENV vars to pass in that the key content, as recommended by Heroku.

cert: process.env.APN_CERT,
key:  process.env.APN_KEY,
passphrase: process.env.APN_PASSPHRASE,

Since you can't set multi-line values for app config in the web interface, you'll have to use the command line to set APN_CERT and APN_KEY:

$ heroku config:set APN_CERT="-----BEGIN CERTIFICATE-----
> MIIDOjCCAiICCQCZTWzQNz6sqTANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJB
> VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
...