Certificate configuration in Portal 4.2

Document ID : KB000093593
Last Modified Date : 01/05/2018
Show Technical Document Details
Question:
User is currently implementing the API developer portal 4.2. They are setting up certificates for production environment but can't use any wildcard certificates (company policy). Will the portal also function correctly if they use a EV Certificate with the comman name (CN) 'tenant-id.domain.com' and add the rest of the described URL's as subject alternative names (SAN)?
So they would add as SAN's the following: tenantid-ssg.domain.com analytics..domain.com broker.domain.com enroll.domain.com sso.domain.com sync.domain.com 

The user has an additional question: at the customer where I'm installing the portal it's company policy to not use wildcard certificates. There are 3 URL's exposed to the internet: 
-apim.domain.com 
-apim-ssg.domain.com 
-analytics.domain.com 

Is it possible to configure 3 different certificates (without a wildcard in the CN). So we would have 3 certificates with the following CN's: 
- CN= apim.domain.com 
- CN= apim-ssg.domain.com 
- CN= analytics.domain.com 

The advanced installation instruction for production certificates only described this for wildcard certificates. How should I modify the portal.conf? Or is there another way to configure non-wildcard certificates? 
Environment:
Portal 4.2.x
Gateway 9.3
Answer:
Since our products (both the Portal 4.2.x and the Gateway 9.2/9.3 applications) don't support the SAN certificate, it's not possible to re-direct the outbound requests to the URLs specified as subject alternative names. For the following URLs, these are not meant to be accessible through a web browser and these services are protected through 2-way SSL (mutual authentication) for internal communication between the Portal and its tenant gateway, so it's OK to use our internally generated certificate:

- analytics..domain.com 
- broker.domain.com 
- enroll.domain.com 
- sso.domain.com 
- sync.domain.com 


Yes, the user can configure using CA signed certificate for "apim.sub.domain.com" and "apim-ssg.sub.domain.com" by adding the following variables in the '<installation>/conf/portal.conf' as we documented here:
  https://docops.ca.com/ca-api-developer-portal-enhanced-experience/4-2/en/install-configure-and-upgrade/create-and-sign-certificates-for-production

PORTAL_TSSG_SSL_KEY='<CA signed key for 'cn=apim-ssg.sub.domain.com>'
PORTAL_TSSG_SSL_KEY_PASS='<CA signed key passphrase above>'
PORTAL_HTTPD_SSL_KEY='<CA signed key for 'cn=apim.sub.domain.com>'
PORTAL_HTTPD_SSL_KEY_PASS='<CA signed key passphrase above>'