Signing Key Generation¶
AgentCube uses an RSA key pair to sign JWT assertions for Oracle token exchange. The private key stays with AgentCube; the public certificate is imported into OCI.
Generate the Key Pair¶
# Generate RSA private key (2048-bit)
openssl genrsa -out agentcube-signing.pem 2048
# Generate self-signed X.509 certificate (5-year validity)
openssl req -new -x509 \
-key agentcube-signing.pem \
-out agentcube-signing.cer \
-days 1825 \
-subj "/CN=AgentCube MCP/O={organization_name}"
This produces two files:
| File | Purpose | Where It Goes |
|---|---|---|
agentcube-signing.pem | Private key — signs JWT assertions | AgentCube environment variable |
agentcube-signing.cer | Public certificate — verifies signatures | OCI Identity Domain trusted partner certificates |
Store the Private Key¶
For container deployments, base64-encode the private key:
Set the output as the AGENTCUBE_SIGNING_KEY_BASE64 environment variable.
Alternative: file path
If your deployment platform supports file mounting, you can mount the PEM file and use AGENTCUBE_SIGNING_KEY_PATH instead of the base64-encoded value. Base64 is recommended for Azure Container Apps where file mounting adds complexity.
Import the Certificate to OCI¶
See OCI Identity Domain Setup — Step 4.
Security Notes¶
- Protect the private key — treat it like a password. Store it in your platform's secret management (Azure Key Vault, environment secrets, etc.)
- Never commit the private key to source control
- Certificate expiry — the certificate expires after 5 years (1825 days). See Certificate Rotation for renewal procedures.