Deploying an application using a SAP Cloud Platform means that you will get a unique URL to access it. An example could be something like https://yourcompany0a35984b.hana.ondemand.com. This isn’t something that you can easily pronounce, nor is it something that you or your customers will be able to remember. You need to tailor the URL to something like www.yourcompany.com. This way, your customers will remember it, and so will you. More about SAP HANA here.
When you’re using SAP Cloud Platform custom domains, you’re going to need to interact multiple times with providers outside of SAP prior to configuring your custom domain. Do not minimize the importance of the prerequisites. Follow them closely without missing any steps or important details.
How a SSL host correlates to domain certificates or custom domain quotas is not always easy to understand. Here is some basic terminology to help you better understand the overall picture.
Custom Domain Quota
When you purchase one SAP Cloud Platform custom domain, you will get one custom domain quota.
Domain (SSL) Certificate
Each custom domain quota you buy gives you the right to four domain certificates max.
Every custom domain allows for the creation of one SSL host by using the command create-ssl-host. You are able to bind a maximum of one domain certificate by running the set-ssl-host command or the bind-domain-certificate command.
In order to update your DNS records, you will need the SSL host URL. This ends in *.ssl.ondemand.com. To get the SSL host URL, simply run the command list-ssl-hosts. If SSL is still a bit of a black box for you, here is a great article.
Understanding What Differentiates a Domain Certificate from a Certificate Signing Request
Your public key is held in an encoded file known as the CSR. This houses the unique information identifying your company’s domain name. By using the generate-csr command, you will be able to create a CSR, which will allow you to use an SAP Cloud Platform custom domain.
You are not granted a domain certificate by running this command. The CSR that was generated will need to be sent to a certificate authority of your choosing. A few popular options include:
- IdenTrust and others
Note CSR can also be generated via cPanel.
Your CSR will be signed by the certificate authority, and then the domain certificate will be sent back. That certificate will need to be uploaded to the SAP Cloud Platform. There it will be bound to the SSL host you previously created. Regular domain registers can also be used to resolve custom DNS records.
How Many Custom Domains Can Be Protected with One Certificate?
Your business case will determine the number of custom domains you might need. Remember, your custom domain is protected using a domain certificate.
Of the three certificate types, each one has its own set of standards as well as the ability to protect different numbers of domains and sub-domains. Not every certificate type will work in your situation, so careful planning is needed. The following are some specifics.
This certificate will protect one domain. For example, www.yourcompany.com. It will not protect sub-domains, such as www.login.yourcompany.com.
If you are interested in securing sub-domains, you will need to buy additional certificates for each sub-domain. This will also mean purchasing additional SSL host with additional custom domain quota.
Multiple sub-domains of one level are protected by the certificate. So www.login.yourcompany.com or www.test.yourcompany.com will be protected. However, the domain www.yourcompany.com is not protected. If your website has a number of sub-domains, don’t purchase an SSL certificate for each sub-domain. Instead, buy one wildcard SSL certificate to cover all of your sub-domains. More on Wildcard Certs here.
Subject Alternative Names Certificate (SAN)
This certificate will protect multiple domains. For example, www.yourcompany.com or www.yourcompany.net. It will also protect multiple levels of sub-domains. For example, www.test.yourcompany.com or www.test.login.yourcompany.com.
The SAN certificate will allow you to secure several websites as well as a number of domains and sub-domains. Many refer to this product as a multi-domain certificate.
We briefly reviewed basic SAP Cloud Platform terminology and prerequisites. But there still may be a few issues you will need to address. One is determining your custom domain quota. You can accomplish this with the list-ssl-hosts command.
Let’s say this command returned an output of: SSL host for subaccount “XXX”: 2. Account quota:2
This would mean that custom domain quota for the owner of “XXX” account is two. In this instance, the quota is maxed out because there are 2two SSL hosts created for this sub-account.
When using the list-domain-certificates command, you may see an output that says: Certificates for subaccount “XXX”: 6. Account quota:8.
In this example, the account quota is eight because each custom domain quota gives you one quota for having up to four domain certificates. When looking at this example, you see that the quota is not maxed out because there are six uploaded certificates connected to the same sub-account and the maximum number of certificates allowed is eight. This means that the owner is still able to upload two certificates to that sub-account.
Of course, there are a number of other issues you will need to address. For example, you will need to learn how to update your DNS records with the goal of directing the traffic for your custom domain so that it reaches the application on your SAP Cloud Platform.
SAP Cloud Platform customization is challenging. Some of the information we discussed in this article should help make the process easier. If you have more questions, please do not hesitate to ask. Or share your guidance with the SAP community by leaving a comment in the comments section below.