MCP server SSL certificate

Why certificate problems are worse for MCP than for web apps

A browser presents an interstitial when it encounters a certificate error: expired cert, hostname mismatch, or untrusted chain. The user can click through (for most non-HSTS errors), and the session continues with a warning. Agent frameworks have no equivalent mechanism. Python's httpx, Node's native https module, and the TypeScript MCP SDK all raise exceptions on certificate errors and halt execution. The agent turn fails. The user sees a generic error or nothing at all.

This difference matters for incident classification. A cert error on a web application is degraded (some users will click through). A cert error on an MCP server is a P1 outage. It affects every agent that tries to connect, from every location, until the certificate is renewed. The MTTR for a cert-expiry outage is bounded by how quickly your team can detect it and rotate the cert — often 30 minutes to several hours if no one is watching.

Modern certificate authorities issue 90-day certificates. Let's Encrypt, the most common CA for public MCP servers, operates on the 90-day cycle by design. On a 90-day cert, the renewal window is narrow. An unmonitored server whose auto-renewal silently fails will expire without warning.

What a TLS health check for an MCP server covers

Certificate validity and expiry

The most obvious check: is the certificate currently valid, and when does it expire? The expiry date is in the certificate's notAfter field. Checking this requires completing the TLS handshake, not just fetching the HTTP response. An expired certificate aborts the handshake before any HTTP bytes are exchanged.

Expiry countdown alerts should fire well before the problem, not at expiry. Reasonable alert thresholds for a 90-day certificate:

• 30 days remaining — informational. Verify that auto-renewal is configured and scheduled before the 14-day window.
• 14 days remaining — warning. Auto-renewal has not completed on a cert that should have renewed by now. Investigate the renewal pipeline.
• 7 days remaining — urgent. Page the on-call. A cert that expires in 7 days with no renewal in sight is a P1 incident in slow motion.
• 1 day remaining — critical. Rotate immediately. At this point, any agents that cache TLS sessions may lose connectivity mid-session as the cert expires.

Certificate chain completeness

A TLS certificate is signed by an intermediate CA, which is itself signed by a root CA. Clients validate the entire chain. If your server serves only the leaf certificate and omits the intermediate, some clients will fail even though the leaf certificate is valid and not expired. This is an extremely common misconfiguration on new deployments.

Browsers handle incomplete chains by downloading missing intermediates (AIA fetching). Agent frameworks and server-side TLS clients generally do not. A server that passes browser testing with an incomplete chain will fail when called from a Python or Node.js agent.

The fix is simple: include the full certificate chain in your server's TLS configuration. In nginx, use the ssl_certificate directive pointing to a file that contains both your leaf cert and the intermediate. In Caddy, the chain is assembled automatically.

Subject Alternative Name matching

The Common Name (CN) field in a certificate has been deprecated for hostname verification since RFC 2818 was clarified in practice. All modern TLS clients verify the Subject Alternative Name (SAN) extension. A certificate with only a CN field, no SANs, will fail in modern agent frameworks even if the CN matches the hostname. If you generated your certificate without specifying SANs, regenerate it.

Wildcard certificates are valid as SANs. A certificate for *.example.com covers mcp.example.com but not api.mcp.example.com (wildcards don't span subdomains). If your MCP server is at a multi-level subdomain, you need either a specific SAN for that subdomain or a multi-level wildcard (which most CAs don't issue for standard pricing).

TLS version compatibility

TLS 1.0 and 1.1 are deprecated. TLS 1.2 is the current minimum for all agent frameworks. TLS 1.3 is supported by modern runtimes and offers slightly better performance (one fewer round trip on the handshake). If your MCP server is behind a reverse proxy or load balancer, the TLS version is controlled by the proxy, not your application code.

Most default configurations on modern systems (Caddy, nginx on Ubuntu 22.04+, AWS ALB) already enforce TLS 1.2 minimum. Legacy systems running on older Ubuntu versions or with hardened configurations that haven't been updated may still allow 1.0 or 1.1. Check with openssl s_client -connect your-server:443 -tls1 — if it connects, 1.0 is allowed; if the handshake fails, you're safe.

Certificate management for MCP servers in practice

Let's Encrypt auto-renewal with Caddy

Caddy (a popular reverse proxy for self-hosted MCP servers) manages TLS certificates automatically. It obtains certificates from Let's Encrypt, renews them 30 days before expiry, and reloads them without dropping connections. For most self-hosted MCP deployments, Caddy's auto-renewal is reliable — but it requires port 80 (for HTTP-01 challenge) or a DNS API key (for DNS-01 challenge) to be accessible at renewal time. If your firewall closes port 80 between deployment and renewal, or your DNS API key rotates, the renewal fails silently and the cert expires.

Cloud-managed certificates

AWS Certificate Manager, GCP Managed SSL, and Azure App Service Managed Certificates all handle rotation automatically and are tightly coupled to the load balancer or ingress. The renewal is handled by the cloud provider with no expiry risk for standard deployments. The gap is elsewhere: these certificates are attached to the load balancer, and the TLS termination happens there. Your MCP server itself receives plain HTTP from the load balancer. This means certificate monitoring at the load balancer layer (cloud console) and certificate monitoring from the external client's perspective (AliveMCP) may diverge if a misconfiguration routes traffic to the wrong backend.

Mutual TLS (mTLS)

Some private or enterprise MCP deployments use mutual TLS to authenticate both the server and the calling client. In mTLS, the MCP server presents a server certificate (same as standard TLS) and also requires a client certificate from the agent. Client certificates have expiry dates too, and they are often managed manually — making them a higher expiry risk than server certificates managed by automated CA pipelines. If you use mTLS, your certificate monitoring needs to cover client certs issued to your agent deployment in addition to the server cert.

How AliveMCP monitors TLS health

Every probe AliveMCP runs against a public MCP endpoint includes a TLS handshake check. The probe reports:

• Whether the handshake completed successfully
• The certificate's expiry date and days-remaining countdown
• Whether the certificate chain is complete
• The TLS version negotiated
• Whether the certificate's SAN matches the hostname being probed

A certificate error at the handshake layer is classified as a hard-down event — equivalent to the server refusing connections. The same three-consecutive-probe threshold that governs protocol-level downtime applies: three failed TLS handshakes in a row before marking the server down, to avoid false positives from transient network path issues.

On Author tier, you can configure expiry alerts for any server you own. AliveMCP fires a webhook alert (Slack, email, or PagerDuty) at configurable lead times — 30, 14, and 7 days by default — so you have ample time to rotate the certificate before any agent experiences an outage.

Get early access

Related questions

Further reading

• MCP server health check — the full probe sequence and what each step catches
• MCP server downtime — five categories and how to classify each
• MCP server incident response — P1/P2/P3 tiers and the alert-to-resolution workflow
• JSON-RPC health checks vs HTTP probes — what an MCP health check actually checks