Should files involved in SSL certificate be kept confidential (added to .gitignore)?

Should these be added to .gitignore before pushing my site to github?

They should not be in the repo at all, meaning stored outside of the repo.
That way:

  • you don't need to manage a .gitignore,
  • you can store those keys somewhere safe.

GitHub actually had to change it search feature back in 2013 after seeing users storing keys and passwords in public repositories. See the full story.

The article includes this quote:

The mistakes may reflect the overall education problem among software developers.

When you have expedited programs—"6 weeks and you'll be a real software developer"—to teach developing, security becomes an afterthought. And considering "90 percent of development is copying stuff you don't understand, I'd bet most of them simply don't know what id_rsa is"

In 2016, this "book" (as a joke) reflects that:

https://twitter.com/DomBurf/status/707473924137881600


The OP adds:

I think Heroku requires putting the files into the repo in order to run ">heroku certs:add server.crt server.key" and setup the cert.

"Configuration and Config Vars" is one illustration on that topic:

A better solution is to use environment variables, and keep the keys out of the code. On a traditional host or working locally you can set environment vars in your bashrc file. On Heroku, you use config vars.

The article "Heroku: SSL Endpoint" does not force you to have those key and certificate in your code. They can be generated directly on Heroku and saved anywhere else for safekeeping. Just not in a git repo.