Manage SSL Certificates

When you interact with the Agent Factory application, the web page uses self-signed SSL certificates by default. Some web browsers may trigger an “insecure connection” warning, but this does not affect the application’s functionality.

You can generate your own self-signed SSL certificates or import your certificates issued by a trusted certificate authority (CA) to remove the warning entirely.

Note: Adding your own SSL certificates won’t remove the warning unless the certificate is issued by a CA that the browser trusts, and the hostname matches the certificate.

Generate Your Own SSL Certificates

To generate your own self-signed SSL certificates, use one of the following commands from your staging location.

  1. Generate certificates for both a hostname and IP address:

    make certificates FQDN=<yourhostfqdn.example.com> IP_ADDRESS=<your.ip.address>
  2. Generate certificates for an IP address only:

    make certificates IP_ADDRESS=<your.ip.address>
  3. Generate certificates for a hostname only:

    make certificates FQDN=<yourhostfqdn.example.com>

The generated certificates replace the default self-signed certificates used by the application.

Important: Self-signed certificate generation uses the host name that you provide, or the host name detected by the host. Very long fully qualified domain names can exceed certificate subject limits. If certificate generation fails for a long host name, use a shorter DNS name or import a CA-issued certificate with the required Subject Alternative Name (SAN).

Import Your Own Certificates

To remove the browser warning, use your preferred method and certificate authority to generate certificates issued by a trusted CA. Many certificate authorities require that the VM hosting the application has a public DNS name.

You need a certificate file and a key file.

  1. Go to your staging location.

    cd </path/to/your/staging/location>
  2. Import your certificates.

    make install-certificates CERT_FILE=/path/fullchain.pem KEY_FILE=/path/key.pem

After completing these steps, the next time you access the application, the browser will show the new certificate information. If the certificate was issued by a trusted CA, the browser warning should no longer appear.

Note: SSL/TLS certificate selection, procurement, installation, renewal, and trust configuration are handled by the user or the organization operating the deployment. Agent Factory does not validate or manage third-party certificates; it only provides a mechanism to import and use certificates you supply.

Certificate Troubleshooting

Symptom Likely cause Action
Browser still warns after import Certificate is self-signed, not trusted by the browser, expired, or does not match the host name. Use a CA-issued certificate trusted by users’ browsers and make sure the SAN includes the application host name.
Import fails with invalid certificate or key File path is wrong, file is not PEM formatted, key does not match certificate, or permissions prevent reading. Verify file paths, PEM content, and certificate/key pairing before importing.
Certificate generation fails for a long FQDN Host name exceeds certificate subject length limits. Use a shorter DNS name or import a certificate generated outside Agent Factory.
SSO or MCP callback fails after certificate/DNS changes Provider callback URLs still point to the old host name. Update SSO, REST OAuth, and MCP provider callback URLs to the browser-facing URL.