Does anyone know what type of SSL certificate extension the tenant uses?
I looked in the documentation, but I couldn’t find it.
.pem (PEM (Privacy-Enhanced Mail) format) extension certificates are used in ISC Virtual Appliances.
Any new certificates are added to the VA’s location (/home/sailpoint/certificates) and a restart of CCG after adding the certificate is needed.
Here is a link for more details on the process of adding the certificates to VA’s.
TLS Configuration on Virtual Appliances
Regards,
Uday Kilambi
The certificates for default URL https://{your‑tenant}.identitynow.com is managed by SailPoint automatically.
However if you want to have a custom vanity URL, you may need to provide the certificate. When you provide the certificate is needs to be in .PEM format.
Out of curiosity, what are you trying to do?
Agree with question
The depends on what you are doing exactly as the context missing some info to move a head 
Sorry everyone, I didn’t express myself well, my question is about this documentation
Which certificate extensions does SailPoint accept?
Another question:
Is it possible to use a wildcard certificate?
Good clarification
there are three different “certificate” contexts in ISC, and they get mixed up a lot:
1- Default tenant URL
(https://{tenant}.identitynow.com)The public TLS certificate for the default tenant URL is SailPoint-managed (you don’t upload or choose a file/extension for it).
2- Vanity URL / custom domain (what your screenshot is about)
SailPoint supports these options:• Preferred: SailPoint requests/hosts the cert via AWS Certificate Manager (you don’t provide a cert file).
• Bring-your-own certificate: If you provide cert material, the doc explicitly calls out two accepted ways:
• PEM: two files per domain — the certificate file (BEGIN CERTIFICATE/END CERTIFICATE) and the private key file (BEGIN PRIVATE KEY/END PRIVATE KEY).
• PFX: also referenced as an option (commonly for Windows-origin cert exports).
Also: self-signed is not supported — it must be a publicly trusted CA.
3- Wildcard certificate?
The vanity-URL cert guidance explicitly says: do not provide root or wildcard certificates (their stated reason is risk exposure if shared externally).
So from a best-practice / documented-process standpoint: no wildcard — use a cert scoped to the exact vanity hostname you’re delegating.
Please find required information is as below
What certificate standard is used → X.509
- What extension is commonly seen →
.pem - Who manages it → SailPoint (public CA-signed)