There needs to be a place within the Settings pages for that admins can import, upload and built-in API to request certificates with DNS validation since you change all of your ports and don't bother to provide a preconfigured proxy.
If you're going to insist on using the horribly complicated, obfuscated, resource-hungry Java that uses its own cert stores and ports, an officially-supported frontend to deal with those is needed, not just a guide to so you can wash your hands. We come to you for the ease of use, not for the challenge of finding a keystore in a sea or cryptically and similarly-name of file structures so that a basic directory connection can happen.
You don't serve you hosted products outside of port 443, do you? Of course not, things from big stubborn companies like Microsoft's RDS/RDP have had their TCP and UDP traffic multiplexed over TCP*443* for years now because it's a safe bet to count everything else blocked, even where they wouldn't be blocked, a regular user doesn't want, or need, to be bothered learning about ports, that takes time which is the thing your whole product line is supposed to manage. Make sense?
Crowd is an IT/admin app anyway, this is expected so it should be front and center, not tucked away behind some shell. Red Hat's Keycloak is an open source, unlimited user count, feature-packed and free for commercial use competitor to Crowd, it doesn't try to push its own protocols or in-app purchases and can be easily clustered–still for free. You need to hurry up.