Hi Venkat,

Thankfully, this is mostly Self-Service now.  SAP Integration Suite - Configuring Additional Virtual Host 

I am in contact with SAP at the moment to discuss some of these topics; however, the full chain of the public certificate must be loaded into the Configure > APIs > Certificates Tab in .pem or .der format and must be in leaf + intermediate(s) + root certificate order.

Once loaded there and your Virtual Host configured for mTLS, anyone who has the keypair of your public certificate should be able to access a proxy deployed on this VirtualHost.

One big caveat that I still have questions on:
I have received confirmation from SAP "certificate authentication" only checks to make sure the Intermediate/Root certificate matches a reference in the Certificates loaded into your trust store.  Meaning you may have loaded a certificate for Customer A signed by a CA (i.e. Digicert).  This means if Customer B uses the same CA as Customer A, they will also have access to an API Proxy on your VirtualHost even though you didn't load Customer B's certificate.

I tested this with SAP Integration Suite Certificates from two different environments (both signed by Digicert) and was able to make API Proxy calls for a certificate I didn't load to the trust store.

Therefore, the way around this is to create a RaiseFault policy that checks the content of the certificate; however, the only way to do this is by creating an SAP Ticket to enable the Client and Connection Properties on your VirtualHost.

All-in-all a bit cumbersome process; but mostly self-service.