Securely Publish Applications in SAP BTP under Custom Domains

We have developed and deployed a Multitarget Application in SAP BTP (Cloud Foundry) – developed in Java Spring Boot, SAP UI5, and SAP HANA – for one of our clients.

The main requirement was to expose the application under the customer’s domain rather than the default domain provided by SAP BTP.

We used SAP’s custom domain server which is one of the services offered in the BTP landscape.

Securely Publish Applications in SAP BTP - Graphical Overview


This article shares the highlights of our learning experience with SAP’s Custom Domain service.

Why Choose a Custom Domain?

When you host/deploy an application in BTP, it is accessible via the default subdomain provided by the cloud vendor. But, as application owners, we do not want our products to promote third-party platforms. We want them to be accessible under our domains, exposing our brands to the users of our cloud applications.

What is the Custom Domain Service in BTP?

SAP provides many services in BTP. Custom Domain service is one of the offerings which, as described above, enables customers to configure and publish their applications under their own domains. By this means, subaccount owners can make their SAP BTP applications accessible via custom domains e.g., rather than the default


  • Domain access: Configure your application with a name that is easily recognisable to your customers and users.
  • Application identity protection: Upload a TLS/SSL certificate to help secure your application’s identity and data transmitted between the browser and the application.


Custom Domain service runs in both Cloud Foundry and Neo environments.

Use Cases

This applies to all PaaS or SaaS customers, in SAP BTP, who require secure exposure of their applications/subscribed services under custom domains.

Creating a Custom Domain for Your Application

  1. Subscribe to the Custom Domain Manager by using the SAP BTP cockpit in the Instances and Subscriptions section in your subaccount.
  1. Create a new instance and configure it by logging into Custom Domain Manager.

 Tools Required for SAP Cloud Foundry

You need the Cloud Foundry CLI and the Custom Domain CLI plugin to use the Custom Domain service.

 Securing Your Application

To make your domain trustworthy and protect your application data, you must get an appropriate TLS/SSL certificate from a Certificate Authority (CA); after determining what domains you want to secure. One TLS/SSL certificate can be valid for several domains and subdomains, but you can also use a dedicated certificate for each domain.

  • Standard certificate – the standard certificate protects one domain, for example, com.
  • Wildcard certificate – the wildcard certificate secures multiple applications of a domain, for example, * covers any application under the domain, like, but not the domain itself.

We utilized CA signed wildcard certificate for our application deployed in SAP Cloud Foundry (find the summary of steps below); we used the Cloud Foundry command line interface (CLI) to manage the SSL certificate for the custom domain.

  1. Use CLI to generate the Certificate Signing Request (CSR) for the custom domain. While creating CSR, we needed to provide a few important pieces of information and generate a private key.

cf custom-domain-create-key my-domain-key “CN=*, O=Organization, OU =Address, L=Address-2, ST=Address-3, C=Address-3” “” “*”

  1. Download the CSR (.pem) from CLI and share it with the authority for signing.

cf custom-domain-get-csr my-domain-key csr.pem

  1. Once the signed certificate is received from CA, upload and activate it to BTP through CLI.
  1. Upload the new certificate.

cf custom-domain-upload-certificate-chain my-domain-key NewCertificate.pem

  1. Activate the uploaded certificate.

cf custom-domain-activate my-domain-key “*” “”

The certificate needs to be renewed before it expires. When renewing, please make sure to use a new private key while generating the CSR file; and delete the old private key after the new certificate is uploaded and activated.

On Device Solutions is a niche IT consultancy and an SAP Gold Partner. To find out more about how we can help your business, please get in touch with us now.




Thanks for your enquiry. A member of the On Device team will be in touch shortly.

Request a free Trial

Thanks for your enquiry. A member of the On Device team will be in touch shortly

I would like to request a trial of

Contact Us

Thanks for your enquiry. A member of the On Device team will be in touch shortly

Request a Demo

Thanks for your enquiry. A member of the On Device team will be in touch shortly

I would like to see a demo of

Request a Demo

Thanks for your enquiry. A member of the On Device team will be in touch shortly

I would like to see a demo of