Rather than using a wildcard certificate, I have previously been able to use a certificate with my apps' hostnames listed as 'Subject Alternative Name'(s) in one certificate per domain on Bluemix.
However, when trying to replace that certificate with a new one, it is now stating that my org is not the owner of 'host'.'domain' where 'domain' is one of my custom domains and 'host' is the name of one of my apps and is listed on the certificate as an alternative name.
Has anyone had similar issues and managed to work around it?
After working with Bluemix support - turns out there is a bug in the Certificate Replace flow. They're addressing this issue, but it still exists as of today.
Work-around is to remove, then re-add certificates.