Skip to content

How to setup and test the MCP server with a dev certificate (TLS)

Jump to bottom
Anahita Goljahani edited this page Jan 6, 2026 · 11 revisions

How to create a self-signed certificate

In order to create a self-signed certificate that can be trusted by your browser, first, create a configuration file named, e.g., openssl.cnf. An example of a minimal configuration file is shown below

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_req

[ dn ]
CN = localhost

[ v3_req ]
subjectAltName = @alt_names
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ alt_names ]
DNS.1 = localhost
IP.1  = 127.0.0.1

Then, run the command

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -config openssl.cnf

The following two files will be generated:

  • server.key that contains the private key
  • server.crt that contains the certificate.

Add the paths to these two files to the MCP configuration file by setting the two configuration variables

  • TLS_KEY_PATH
  • TLS_CERT_PATH

How to run Node.js applications that accept self-signed certificates

In order to run Node.js applications that accept self-signed certificates, use the setting NODE_TLS_REJECT_UNAUTHORIZED=0 before the commands node or npx.

For instance, NODE_TLS_REJECT_UNAUTHORIZED=0 should be used in the following cases:

  • in the command to run the MCP Inspector, when you wish to test an MCP server using a self-signed certificate in proxy mode, i.e.,
NODE_TLS_REJECT_UNAUTHORIZED=0 npx @modelcontextprotocol/inspector
  • in the command to run the mcp-remote when the MCP server is using a self-signed certificate; if the mcp-remote is executed by Claude Desktop, add the following server configuration to its configuration file ~/Library/Application\ Support/Claude/claude_desktop_config.json 
{
  "mcpServers": {
    "Apache OFBiz mcp server": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://localhost:3000/mcp"],
      "env": {
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      }
    }
  }
}
  • in the command to run the MCP server when OFBiz is using a self-signed certificate, i.e.,
NODE_TLS_REJECT_UNAUTHORIZED=0 node ./build/server.js path_to_configuration_folder path_to_tools_folder

How to trust a self-signed certificate in a browser

In order to use a browser to connect to an MCP server running over TLS with a self-signed certificate—for instance, to test the MCP server with the Inspector in ‘direct’ connection mode—you need to make the browser accept your self-signed certificate.

The recommended way to do this is to import the certificate into your Operating System's trust store.

On macOS, certificates are imported and trusted via Keychain Access as follows.

  1. Open Keychain Access
  2. Select System from the sidebar
  3. From the File menu, select ‘Import Items...’, then browse to your .crt certificate and click on 'Open'
  4. Double-click on the certificate, expand the 'Trust' section and set 'When using this certificate' to Always Trust

Clone this wiki locally