You'd like to switch from using Heroku's Automated Certificate Management (ACM) feature to using the SSL Endpoint Add-On. The most common use case for this is to disable TLS 1.0 and/or TLS 1.1 on an application.
Can I switch from ACM to SSL Endpoint without downtime?
Yes. ACM and SSL Endpoint can co-exist, which means that there is no disruption to serving the site over HTTPS. You can set up SSL Endpoint properly and then disable ACM 1-2 days later by running
heroku certs:auto:disable -a app-name. It's important to wait 1-2 days so that long-lived TTL has a chance to clear before you disable ACM.
How do I disable TLS 1.0 and/or TLS 1.1 once I've set up SSL Endpoint?
Refer to How do I disable support for TLS 1.0 or 1.1 on a Heroku App?. This can be done at any point after SSL Endpoint has been set up.
Can I use a wildcard certificate with SSL Endpoint?