Description:
We would like to use a certificate that does not match the listener and HTTPRoute's hostnames.
Currently, this is not supported in Envoy Gateway, where the domain specified in the certificate’s dnsNames field is different from the SNI domain sent by the client (configured on the Gateway). This setup fails validation here:
https://github.com/envoyproxy/gateway/blame/ec94c9848d88d430624396f70ac6a0e8124d3420/internal/gatewayapi/tls.go#L90
This pattern is common in CDN use cases, where the CDN accepts certificates that are issued with the origin-server's "technical" domain name, while the client-facing host-header and SNI are being preserved.
For example, Akamai supports matching the certificate's CN/SAN to the origin-server name:

Akamai Documentation:

Match CN/SAN To
Specify the values ​Akamai​ edge servers should look for in your origin certificate's Common Name (CN) or Subject Alternate Name (SAN) fields. When a Subject Alternate Name field is present in the certificate, the Common Name field is ignored. These values are included by default:
{{Origin Hostname}}: The edge server scans either a CN or SAN for the value you've set as the Origin Server Hostname .
{{Forward Host Header}}: The edge server scans either a CN or SAN for the value you've set as the Forward Host Header.