diff --git a/deployment/tls-certs-letsencrypt/heroku-set-certs.sh b/deployment/tls-certs-letsencrypt/heroku-set-certs.sh
new file mode 100755
index 0000000..42874be
--- /dev/null
+++ b/deployment/tls-certs-letsencrypt/heroku-set-certs.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# Deploy certs files per https://devcenter.heroku.com/articles/ssl
+# Requires `heroku` CLI, and being logged in.
+
+# (Alternative: paid dynos (including Hobby) can simply enable https://devcenter.heroku.com/articles/automated-certificate-management)
+
+set -e -u -o pipefail
+set -x
+
+cd "$(dirname "$0")"
+
+# TODO: command-line parameters like rhc-set-certs.sh ?
+
+# One cert for all 4 domains.
+main_domain='mathdown.net'
+alt_domains=('www.mathdown.net' 'www.mathdown.com' 'mathdown.com')
+domains=("$main_domain" "${alt_domains[@]}")
+
+app=mathdown
+cert=certs/mathdown.net/cert.pem
+privkey=certs/mathdown.net/privkey.pem
+if heroku certs:info --app "$app"; then
+   heroku certs:update --app "$app" "$cert" "$privkey"
+else
+   heroku certs:add --app "$app" "$cert" "$privkey"
+fi
+
+curl --head "https://$main_domain/"
+
+echo 'To analyze certs & security:'
+printf '  https://www.ssllabs.com/ssltest/analyze.html?d=%s&latest\n' "${domains[@]}"
diff --git a/deployment/tls-certs-letsencrypt/rhc-set-certs.sh b/deployment/tls-certs-letsencrypt/rhc-set-certs.sh
index dc3b8f3..60afbe0 100755
--- a/deployment/tls-certs-letsencrypt/rhc-set-certs.sh
+++ b/deployment/tls-certs-letsencrypt/rhc-set-certs.sh
@@ -30,7 +30,7 @@ else
   keyopts=(--certificate="certs/$main_domain"/fullchain.pem --private-key="$3" --passphrase="$4")
 fi
 
-# <rant>In fish $X does the right thing, in bash I need "${X[@]}" and it only comes close.</rant>
+# <rant>In fish $ARRAY does the right thing, in bash I need "${ARRAY[@]}" and it only comes close.</rant>
 
 echo '== before: =='
 rhc alias list "${appopts[@]}"