The HTTPS Configuration tab in the MCP Configurator sets up TLS encryption for all MCP services. Once configured, every service automatically uses HTTPS with the certificate you specify. This is required when connecting to MCP using HTTP mode with OAuth-based clients such as Claude Desktop.
Note: HTTPS configuration is optional. If you skip this tab, services default to HTTP (unencrypted connections).
HTTP vs HTTPS
Use the table below to determine whether you need HTTPS for your deployment.
| HTTP (default) | HTTPS | |
|---|---|---|
| Encryption | None — traffic is sent in plain text | TLS-encrypted between client and server |
| Authentication | API key only | API key or OAuth |
| OAuth clients (e.g. Claude Desktop) | Not supported — OAuth requires HTTPS | Supported |
| Local development / testing | Recommended — no certificate needed | Optional |
| Production / cross-network | Acceptable if network is trusted and API key auth is sufficient | Recommended - encrypts credentials in transit |
| Org security policy requires encryption | Does not meet requirement | Meets requirement |
| Setup effort | None — works out of the box | Requires a PFX certificate and one-time configuration |
If you only need API-key authentication for internal or local testing, you can skip this article and go directly to Connect to MCP using HTTP mode.
Prerequisites
- Configure MCP Server
- An SSL/TLS certificate in PFX format (.pfx or .p12) that contains a private key and is password-protected
- For production: Obtain a certificate from a trusted Certificate Authority - either a public CA (Let's Encrypt, DigiCert, Sectigo) or your organization's internal CA (Active Directory Certificate Services, internal PKI). Request export in PFX/PKCS#12 format with a password
- For testing: Generate a self-signed certificate using the PowerShell script below
Generate a Self-Signed Certificate (Testing Only)
Run the following in PowerShell as Administrator:
# Create self-signed certificate
$cert = New-SelfSignedCertificate `
-Subject "CN=mcp.example.com" `
-DnsName "mcp.example.com", "localhost" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyExportPolicy Exportable `
-KeySpec KeyExchange `
-NotAfter (Get-Date).AddYears(2)
# Export to PFX with password
$password = ConvertTo-SecureString -String "YourPassword123" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath "C:\certs\server.pfx" -Password $password
Warning: Self-signed certificates trigger security warnings in browsers and client applications. Use only for development and testing.
Instructions
Configure HTTPS
- Open the MCP Configurator and navigate to the HTTPS Configuration tab
- Enter the Hostname where clients will reach the MCP server
- This is the DNS hostname or IP address used in the service URL:
https://<hostname>:<port>/ - Must match the certificate's Common Name (CN) or Subject Alternative Name (SAN)
- Examples:
mcp.example.com,localhost,192.168.1.100
- This is the DNS hostname or IP address used in the service URL:
- Click Browse and select the Certificate File (.pfx or .p12)
- Store certificates on a local drive — UNC network paths are not supported
- The certificate must contain a private key, be password-protected, and not be expired
- Enter the Certificate Password
- The password is encrypted with Windows DPAPI before storage and never saved in plain text
- The encrypted password is machine-specific — if you move the configuration to a different machine, you will need to re-enter the password
- Click Test & Validate to verify the certificate
- Validation checks: file readability, password correctness, private key presence, expiration date, and hostname match
A successful validation displays:
Certificate valid until 2027-12-24
Subject: CN=mcp.example.com
Issuer: CN=DigiCert TLS RSA SHA256 2020 CA1
SAN: mcp.example.com, localhost
Matches hostname: mcp.example.com
Private key: Present
- Click Save Configuration once validation succeeds
- No existing services: Configuration saves immediately. All future services will use HTTPS
- Existing services: A confirmation dialog shows which services will be affected. Click Enable HTTPS to apply. Running services stop, update, and restart with HTTPS. Stopped services update but remain stopped
Verify Configuration
- Navigate to the Services tab and confirm the HTTPS status banner shows Configured
- Create or open a service and verify the URL preview displays
https://
Update an Existing Configuration
To change the certificate, hostname, or password after the initial setup:
- Navigate to the HTTPS Configuration tab
- Update the relevant fields
- Click Test & Validate
- Click Save Configuration
- A confirmation dialog shows which services will be affected
- Running services automatically restart with the new configuration
- No manual service reconfiguration is needed
Troubleshooting
Invalid password or corrupted certificate file
- Verify the password is correct (check for trailing spaces)
- Re-export the certificate from your certificate store, ensuring you select Yes, export the private key
Hostname mismatch
- The configured hostname must match the certificate's CN or SAN entries. Either change the hostname to match the certificate, or obtain a new certificate that includes the correct hostname
Certificate expired
- Obtain a renewed certificate from your CA or generate a new self-signed certificate
Certificate does not contain a private key
- Re-export from Certificate Manager (
certmgr.msc): right-click the certificate > All Tasks > Export > select Yes, export the private key > choose PFX format with password protection
Certificate expires soon (warning)
- Validation passes but the certificate expires within 30 days. Renew before expiration to avoid service disruptions
HTTPS connection fails from client
- Verify the hostname resolves via DNS from the client machine
- Confirm the firewall allows inbound connections on the service port
- If using a self-signed certificate, the client must trust the certificate or bypass certificate validation
