Answer from Microsoft below
SSLs uploaded to Application Registrations are used as an authentication method, rather than as an identifier.
This means the SSL does not need to contain any specific domains, as long as the certificate is uploaded to the Application Registration it can be used for authentication by the application being developed
For reference here are the general SSL requirements:
• Subject – This is descriptive and for ease of identification
• KeyExportPolicy – Exportable
• Signature Hash – SHA256
• KeyLength – 2048
• File type - .cer / .pem / .crt
You can find more information on uploading an SSL here:
https://video2.skills-academy.com/en-us/azure/active-directory/develop/quickstart-register-app#add-credentials
https://video2.skills-academy.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#authentication-two-options