Removal of Default Self-Signed TLS Certificates from Container Image

  • Published on Feb 10, 2026
Prev Next

Platform 6 requires you to provide your own TLS certificates. The Platform 6 container image no longer includes default self-signed TLS certificates.

Before you begin

This breaking change affects you if you:

  • Upgrade to Platform 6 from a previous version
  • Use HTTPS/TLS connectivity with Itential Automation Platform
  • Previously used the default self-signed certificates included in the container

What's changed

Previous versions of the Platform 6 container image included default self-signed TLS certificates. Platform 6 removes these certificates. You must provide your own certificates and keys for TLS/HTTPS connectivity.

This change follows security best practices. You maintain full control over your certificate lifecycle, including generation, signing, and management.

Provide TLS certificates

Certificate requirements

Provide TLS certificates that meet the following requirements:

  • X.509 format
  • Certificate file (.crt or .pem)
  • Private key file (.key)

You can configure the file location and naming through environment variables or property files.

Configure certificate paths

Set the certificate and key file paths using one of the following methods:

Option 1: Environment variables

ITENTIAL_WEBSERVER_HTTPS_CERT=/path/to/your/certificate.crt
ITENTIAL_WEBSERVER_HTTPS_KEY=/path/to/your/private-key.key

Option 2: Property file variables

webserver_https_cert=/path/to/your/certificate.crt
webserver_https_key=/path/to/your/private-key.key

Choose the right certificate type

Use the following certificate types based on your environment:

  • Testing and development: Self-signed certificates
  • Production: Certificates signed by a trusted Certificate Authority (CA)

Generate self-signed certificates for testing

To generate self-signed certificates for testing, use OpenSSL:

openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout itential-platform.key \
  -out itential-platform.crt \
  -days 365 \
  -subj "/CN=your-hostname"

Caution: Only use self-signed certificates in non-production environments.

Troubleshoot certificate issues

Itential Platform fails to start

Itential Platform fails to start with an error message when certificates are missing or paths are incorrect:

2026-02-05T12:24:35.462Z - error: origin=/opt/itential/platform/server/startup.js:1, 
message=[ 'Fatal error during startup' ], 
error=[ Error: TLS file not found: /etc/ssl/itential/itential-platform.key

To resolve this issue:

  1. Verify that certificate and key files exist at the specified paths.
  2. Verify that the container has read permissions for the certificate files.
  3. Verify that the paths in your environment variables or property files are correct.
  4. Verify that the certificate and key files use properly formatted X.509 certificates.