Alright, so based off the comment exchange we had, I'm going to recommend a little guide to the SSL Chains as they work when trying to import them on a custom domain.
So when you look at the cert chain, most of the time you will see it with its full path. The interesting thing with this is that if you already have the root certificate on your computer and try to export the chain, it will include the trusted root cert in the chain.
After battling this problem with many tools, I ended up finding that using KeyStore Explorer would make this whole process of editing the cert chain a million times easier, so i will cover using it here.
The first thing you want to do is create a new KeyStore and create it with the type of JKS. After this point, you will likely have been given, or have, a PFX of the cert chain from your cert vendor or whatever. You need to know the decryption password btw that binds the key pair. Once you have that, just import the pair into your new keystore (PS its a PKCS #12)
From here, double click on your new import and you'll probably notice that you have the root in your chain. This is a no no. What we want to do is actually remove this from the chain so that Salesforce can map the chain to THEIR trusted root.
So to remove the root from the chain, simply right click on the entry and select "Edit Certificate Chain" and then "Remove Certificate". This will remove the top most cert from the chain, which is exactly what we are looking to do.
If you double click on the entry now, you should see the root certificate out of the cert chain now (Hooray!)
From here, you just need to export out the pair and save it off so you can upload it to Salesforce to link with your domain. You can do this by right clicking on the entry, and selecting "Export" and then "Export Certificate Chain". Leave it with Head Only and X509.
Your end result should now be a CER file without the root certificate, that is now mapping to the hopefully trusted root certificate on your PC. As you can see below, mine binds to the DigiCert trusted root CA, which is one that Salesforce has on their end. For a list of all trusted CA's on the Salesforce side, take a peek here
This should hopefully help you or anyone else peeking at this answer out with the SSL side of a custom domain that requires HTTPS. It looks like you have everything else taken care of as far as the setup side is concerned. If you still have any problems or questions, feel free to post a comment and I can try to help out best i can!
Best Answer
Custom domain for base orgs (and its sandboxes) is not possible in Salesforce platform (at the least there is no documentation around this or OOB approach). You can only configure subdomains via My Domain (ref)
Consider the following (just my thoughts on why this isn't facilitated yet):
so, if the base org has to be exposed via custom domain, it would take a lot more than a simple CNAME change or DNS mapping. While this is technically possible, it would be a highly complex soluion and I don't think Salesforce (has planned or) has the strategy, infrastructure and necessary solutions in place yet.