Skip to content

Allow upload of CA certs for self signed certificate use #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Nov 8, 2025
Merged

Allow upload of CA certs for self signed certificate use #1383

merged 42 commits into from
Nov 8, 2025

Conversation

@madhav165
Copy link
Collaborator

@madhav165 madhav165 commented Nov 3, 2025
edited
Loading

✨ Feature / Enhancement PR

πŸ”— Epic / Issue

Link to the epic or parent issue:
Closes #1278, #1287, #1364

πŸš€ Summary (1-2 sentences)

Adds first-class support for self-signed TLS by allowing users to upload a custom CA certificate. The CA is wired through gateway create/update flows, health checks, and tool calls, with UI-side file validation and updated docs.

πŸ§ͺ How to Test This Feature

Quick Setup

  1. Get your CA certificate file - If your MCP server uses a self-signed certificate, you'll need the CA certificate file (usually named something like cert.pem, ca.pem, ca.crt, or rootCA.pem)

  2. Open the MCP Gateway Admin Panel - Navigate to your gateway instance and log in as an admin

Testing Steps

Step 1: Add a New Gateway with CA Certificate

  1. Go to Admin β†’ Gateways tab
  2. Click Add Gateway
  3. Fill in your server details:
    • Name: My Test Server
    • URL: https://your-mcp-server.example.com (must be HTTPS)
  4. Scroll to the CA Certificate section
  5. Drag your certificate file (.pem, .crt, .cer, or .cert) into the upload area, or click to browse
  6. You should see a green checkmark: βœ… "All certificates validated successfully!"
  7. Click Save

Step 2: Verify the Connection Works

  1. After saving, the gateway should show as "Active" or "Reachable"
  2. Go to the Tools tab
  3. You should see tools from your newly added gateway listed
  4. Try invoking one of the tools to confirm it works

Step 3: (Optional) Test Multiple Certificate Files
If you have a certificate chain (root + intermediate CAs):

  1. Select multiple certificate files when uploading
  2. The system will automatically order and combine them
  3. You'll see each file validated individually

What You Should See

βœ… Success indicators:

  • Green checkmark after upload
  • Gateway shows as connected/reachable
  • Tools are discovered from the server
  • Tool invocations work without SSL errors

❌ If something's wrong:

  • Red X with error message (check file format or size)
  • Gateway shows as unreachable (check URL or certificate)

Need Help?

If you encounter issues:

  1. Check that your certificate file is in PEM format
  2. Verify the URL matches your server's certificate CN/SAN
  3. Ensure the file is under 10MB
  4. See the full documentation at: docs/docs/manage/self-signed-certificates.md

πŸ§ͺ Checks

  • make lint passes
  • make test passes
  • CHANGELOG updated (if user-facing)
  • Documentation added (docs/docs/manage/self-signed-certificates.md)

@madhav165 madhav165 self-assigned this Nov 3, 2025
@madhav165 madhav165 marked this pull request as draft November 3, 2025 17:37
@madhav165 madhav165 force-pushed the fix-for-self-signed-cert branch from 78ca19a to 5a13b71 Compare November 5, 2025 08:30
This was linked to issues Nov 5, 2025
[Feature Request]: Add Support for Self-Signed Certificates in MCP Gateway #1364
Closed
[Bug]:https mcp servers with self signed certificate not able to add #1278
Closed
[Bug]: Unable to use sso service with corporate CA #1287
Closed
@madhav165 madhav165 marked this pull request as ready for review November 5, 2025 15:39
@madhav165 madhav165 linked an issue Nov 6, 2025 that may be closed by this pull request
[Bug]: Alembic migrations fails in docker compose setup #946
Closed
7 tasks
@madhav165 madhav165 mentioned this pull request Nov 6, 2025
Closed
7 tasks
@madhav165 @crivetimihai
testing changes
4892ef5 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add JS for file validation
8412188 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
JS cleanup
1200852 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
linting fixes
0d68908 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Working till adding gateway
2be6f5a 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Use ca cert for tool calls
79e0c9c 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Fix health checks
c95f3ea 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Use ca_cert in update_gateway
c3eef69 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Flake8 fixes
f8cbc90 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Linting fixes
4973ad8 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Update doctest
fa1b2dd 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add Ed25519 signing code
1fa0b35 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add validator for public key
ea6baf6 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add cert validation
aa87aa1 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Allow multiple uploads
035c5ac 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
linting fixes
17f6510 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
bandit fix
18eb3f8 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Fix some tests
475e99d 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Fix test
4c9ad0d 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
madhav165 and others added 22 commits November 8, 2025 21:41
@madhav165 @crivetimihai
Fix tests
7fe0e86 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Linting fixes
96dbaef 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Fix fstring
dc87607 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
eslint fixes
7862668 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
lint-web fixes
9549ca0 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add alembic migration
ca6aa3b 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Make signing certs optional
ce71623 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Update README
55e6b85 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Minor change to README
6cbf51b 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Update sso_provider field validator
bf295f6 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Update charts
e6086ac 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
flake8 fix
9541f56 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
flake8 fixes
8922b55 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Use Containerfile.lite in docker compose
e18163d 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
checking compose upgrade for pg 18
0f50431 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Include pg_hba.conf step in upgrade
48e3202 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
lint fix
a753f45 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Mention about Postgres upgrade in Changelog
b5dfeb4 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Minor fix to commented alembic upgrade
9aea196 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@madhav165 @crivetimihai
Add documentation on self signed certs
41327c6 
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
@crivetimihai
fix: resolve rebase conflicts and update plugin API calls
1daf7c2 
- Fix imports: mcpgateway.models -> mcpgateway.common.models
- Add missing ToolHookType import
- Update plugin manager API: tool_pre_invoke -> invoke_hook with ToolHookType
- Update plugin manager API: tool_post_invoke -> invoke_hook with ToolHookType
- Update HttpHeaderPayload: headers -> root parameter
- Create alembic merge migration for CA cert and observability heads
- Apply pre-commit formatting fixes (trailing whitespace, tabs, encoding pragma)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Rebase
7d439f4 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the fix-for-self-signed-cert branch from 7743e2a to 7d439f4 Compare November 8, 2025 22:02
@crivetimihai crivetimihai removed the request for review from kevalmahajan November 8, 2025 22:23
@crivetimihai
Coverage
a5aa466 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai merged commit 2821907 into main Nov 8, 2025
40 of 42 checks passed
@crivetimihai crivetimihai deleted the fix-for-self-signed-cert branch November 8, 2025 22:29
p4yl04d3r pushed a commit to p4yl04d3r/mcp-context-forge that referenced this pull request Nov 19, 2025
@madhav165 @crivetimihai @p4yl04d3r
Allow upload of CA certs for self signed certificate use (IBM#1383)
b1f4f76 
* testing changes

Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add JS for file validation
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* JS cleanup
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Working till adding gateway
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Use ca cert for tool calls
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix health checks
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Use ca_cert in update_gateway
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Flake8 fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update doctest
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add Ed25519 signing code

Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add validator for public key
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add cert validation
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Allow multiple uploads
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* bandit fix
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix some tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix test
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix fstring
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* eslint fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* lint-web fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add alembic migration
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Make signing certs optional
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update README
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Minor change to README
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update sso_provider field validator
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update charts
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* flake8 fix
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* flake8 fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Use Containerfile.lite in docker compose
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* checking compose upgrade for pg 18
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Include pg_hba.conf step in upgrade
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* lint fix
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Mention about Postgres upgrade in Changelog
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Minor fix to commented alembic upgrade
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add documentation on self signed certs
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* fix: resolve rebase conflicts and update plugin API calls

- Fix imports: mcpgateway.models -> mcpgateway.common.models
- Add missing ToolHookType import
- Update plugin manager API: tool_pre_invoke -> invoke_hook with ToolHookType
- Update plugin manager API: tool_post_invoke -> invoke_hook with ToolHookType
- Update HttpHeaderPayload: headers -> root parameter
- Create alembic merge migration for CA cert and observability heads
- Apply pre-commit formatting fixes (trailing whitespace, tabs, encoding pragma)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Rebase

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Coverage

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: p4yl04d3r <cvogan@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai approved these changes

Assignees

@madhav165 madhav165

Labels

None yet

Projects

None yet

Milestone

No milestone

3 participants

@madhav165 @crivetimihai