Skip to Content

Using a Custom Domain

No more long unreadable URLs for your applications running on SAP HANA Cloud Platform – you can now choose and configure your own recognizable URL.

You can set your custom URL ( instead of the default URL on the domain ( for any application deployed on the platform.

You just need to have custom domain quota for your account. The custom domain configuration on SAP HANA Cloud Platform is done using console client commands.

But before you start with the actual configuration on the platform, note that you need to take care of some steps that involve service providers external to SAP – domain name registrar and Certificate Authority (CA).

Buy the domain

You first need to buy the custom domain names that you want for your applications. You have a wide choice of registrars selling domain names on the market –,,,, to name a few.

Choose a CA

Another external provider you need to use is the CA that will issue the certificate for your domain. You have to get an appropriate SSL certificate to make sure your domain is trusted and all your application data is protected.

Again, there is a huge number of CAs to choose from. To save money and hassle, before buying a certificate, carefully consider the number and type of domains you want to be protected by this certificate. One certificate can be valid for a number of domains and there are various types of domains (single; wildcard; multiple, etc.).

Set up

With the actual configuration, you set up secure SSL communication and then route the traffic for your custom domain to your application on SAP HANA Cloud Platform.


The configuration is done in the following sequence of steps:

    1. Create an SSL host.

The host holds the mapping between your chosen custom domain and the application on SAP HANA Cloud Platform as well as the SSL configuration for secure communication through this custom domain.

     2. Upload a domain certificate.

The certificate generation process starts with certificate signing request (CSR) that you generate on SAP HANA Cloud Platform and then send to a CA.

A CSR is an encoded file containing your public key and specific information that identifies your company and domain name.

Then, use the CSR to get a server certificate signed by the CA of your choice.

    • Generate CSR
    • Sign the CSR with a CA
    • Upload the certificate

     3. Bind the certificate to the SSL host.

     4. Add the custom domain

     This maps the custom domain to the application URL.

     6. Configure DNS.

Now you need to route the traffic for the custom domain to your application on SAP HANA Cloud Platform by configuring it in the Domain Name System (DNS) that you use.

The mapping is specific for the domain name provider and usually is done by modifying CNAME records using their administration tools.

You are now ready.

Check if the application is accessible on the new domain.

In your Application Dashboard in the cockpit, the new custom URL should have replaced the default one.

You must be Logged on to comment or reply to a post.
  • Hi Vanya,

    thank you very much for this very useful article.
    We just also figured that out last week by ourselves without having such a great howto description.

    Please notice that the first step (Create an SSL host) will fail for most of the customers with the following error:

    ERROR: Account does not have remaining quota!

    This is because they do not have a proper custom domain quota assigned to there HCP contract/package - it seems that this custom domain quota has to be bought in addition.

    Best regards,


  • Hi Vanya,

    Can you please suggest if we can use the HANA Cloud Trail Account for the SSL host setup and the other steps performed above. I created a site through a template in HCP Cloud Trial version - Portal Services. Would like to align it with one custom domain name now.



  • Hi All,

    I am going to ask some stupid questions so please bear with me. The procedure above speaks in very general terms about "application URL".

    Can the URL for any HCP application be used?

    Is it the full URL or just the "host name" portion of the URL that is mapped to the custom domain?

    Can the portal be aliased? Again, is it just the "host name" portion of the portal URL that is mapped?

    Thank you in advance for your response(s)

    Tim Rockhill

  • Can I use custom domains for HTML5 applications? The official documentation says that it is only for Java application and it doesn't make sense!

    • Yes Wagner, you can use custom domains for HTML5. The command looks like:

      neo add-custom-domain --account abc123 --user P123xxxx --host --custom-domain --application-url --ssl-host

      I have used a wildcard certificate.

  • Hello,

    i installed a certificate and configured the binding successfully, all works fine in Chrome, Safari and IE.

    But Firefox does not accept the certicate. It seems the intermediate certificate (here from RapidSSL) is missing.

    Is it possible to install a PEM file with certifiate chain, including the intermediate certificate from CA?

    Kind Regards

    • Hi Torsten,

      Yes, you can add both the SSL and the intermediate certificate to the PEM file. To do that, use the --force parameter when you execute the upload-domain-certificate command. Also, make sure you follow this template for the file that holds the certificate data:

      -----BEGIN CERTIFICATE-----

      Your SSL certificate goes here.

      -----END CERTIFICATE-----

      -----BEGIN CERTIFICATE-----

      Your intermediate certificate goes here.

      -----END CERTIFICATE-----

      For more information, see upload-domain-certificate and Uploading an intermediate certificate.

      Best regards,


  • Hi,

    Is it mandatory to avail custom domain slots from SAP Cloud platform and do the above said configurations in order to have a custom domain for my applications hosted on SAP Cloud platform? OR

    Can we achieve it by means of any other 3rd party ?



  • Hi,

    What should be the CNAME record for my custom domain? CNAME




  • Hello,

    Thank you very much for this very detailed article.

    I am configuring the “Custom Domains” but I get an error in the next step:

    cf custom-domain-create-key gmao “, O=xx, C=FR, ST=xxx, L=xxx, OU=DSI, ” “*”  -verbose

    Command: custom-domain-create-key
    Organisation: xxxx (xxxxx-fc009e08f04e)
    API Endpoint:
    Default API Server:
    Key: xxx
    Subject:, O=xx, C=FR, ST=xxx, L=xx, OU=DSI,
    Domain Names: *
    Are you sure to generate this key in the system? (y/N)
    DEBUG:2020/11/12 16:13:51 client.go:105: POST to
    DEBUG:2020/11/12 16:13:51 client.go:110: Request: [{ gmao, O=xxx, C=FR, ST=xxx, L=xx, OU=DSI, [*] }]
    DEBUG:2020/11/12 16:13:52 client.go:131: HTTP Status: 409
    DEBUG:2020/11/12 16:13:52 client.go:132: Response: {“code”:16,”message”:”Domain is not registered for this ORG”}
    Domain is not registered for this ORG

    FYI, I deleted my client’s information.
    Can you help me to solve this problem?
    Best regards,

    • Hi Maher,

      did you create the domain first that you want to create the CSR for?

      The error message "Domain is not registered for this ORG" indicates that the domain does not exist within your Cloud Foundry org. This issue is covered by our Guided Answers for the Custom Domain service, you can find them here:

      Best regards

      • Unfortunately I encountered a new problem related to the upload of the certificate (generated by an authorized authority).

        In the zip sent I find the following files:

        cf custom-domain-upload-certificate-chain key poc.pem

        systematically I have the following answer

        According to SAP blogs I found the following info:


        1. Consolidate the certificate files

        Consolidate below three files into one single file as the final certificate file:

        • CSR file of your custom domain – generated by yourself
        • DigiCert Intermediate Certificate – get from Certification Authority
        • DigiCert Global Root CA.pem – get from Certification Authority

        Give the final certificate file a name like “<your-domain-name>-chain.pem”.

        Now you complete the preparation of the certificate of your custom domain. It is time to import and activate the certificate.


        Download and unzip the files locally.  You should see the 4 crt files mentioned in the email.

        You’ll need to concatenate these files together before uploading them.


        cat STAR_conciletime_com/AddTrustExternalCARoot.crt > comodo-conciletime-certchain.pem
        cat STAR_conciletime_com/USERTrustRSAAddTrustCA.crt >> comodo-conciletime-certchain.pem
        cat STAR_conciletime_com/SectigoRSADomainValidationSecureServerCA.crt >> comodo-conciletime-certchain.pem
        cat STAR_conciletime_com/STAR_conciletime_com.crt >> comodo-conciletime-certchain.pem

        Normally I should not use files that have a name that starts with p7.

        Do you have any idea on which files I should concatenate? I have checked the CSR (Command: custom-domain-get-csr) and it is equivalent to the one we sent to the authority which issued the SSL certificate

        Thanks for your help

        Best regards,

        • Hi Maher,

          there are a couple of things that you can do:

          • First make sure, that the content of the certificate files is in the pem format, not PKCS7 (this is just an assumption). There is a note how you can convert the content on the SAP Help Portal.
          • Then you need to concatenate the files to have the full certificate chain in one file. Please have a look at this topic of the guided answers.
          • Third, make sure that the key and domain parameters that you used in the upload-certificate command is the same that you've used in the custom-domain-create-key command.

          Generally, you can go through the official documentation of the Custom Domain service on Cloud Foundry here, to see if your procedure was following the documentation.

          Best regards


          • it works.

            Thank you 🙂

            In the archive provided by the authority there is a file pem-1605172388-996590.pem: it is the bundle (= concatenation) of my TLS service certificate (SSL) and of the so-called intermediate issuing CA certificate.

            I concatenated the root + .pem certificate and it works.

            Thank you for your availability.

            Best regards,