Signing Key Generation¶
AgentCube uses an RSA key pair to sign JWT assertions for Oracle token exchange. The private key stays with AgentCube; the public certificate is imported into OCI.
Generate the Key Pair¶
# Generate RSA private key (2048-bit)
openssl genrsa -out agentcube-signing.pem 2048
# Generate self-signed X.509 certificate (5-year validity)
openssl req -new -x509 \
-key agentcube-signing.pem \
-out agentcube-signing.cer \
-days 1825 \
-subj "/CN=AgentCube MCP/O={organization_name}"
This produces two files:
| File | Purpose | Where It Goes |
|---|---|---|
agentcube-signing.pem | Private key — signs JWT assertions | AgentCube environment variable |
agentcube-signing.cer | Public certificate — verifies signatures | OCI Identity Domain trusted partner certificates |
Store the Private Key¶
For container deployments, base64-encode the private key:
Set the output as the AGENTCUBE_SIGNING_KEY_BASE64 environment variable.
Alternative: file path
If your deployment platform supports file mounting, you can mount the PEM file and use AGENTCUBE_SIGNING_KEY_PATH instead of the base64-encoded value. Base64 is recommended for managed container platforms (Azure Container Apps, AWS ECS, OCI Container Instances) where file mounting is not straightforward.
Import the Certificate to OCI¶
See OCI Identity Domain Setup — Step 4.
Security Notes¶
- Protect the private key — treat it like a password. Store it in your platform's secret management (Azure Key Vault, environment secrets, etc.)
- Never commit the private key to source control
- Certificate expiry — the certificate expires after 5 years (1825 days). See Certificate Rotation for renewal procedures.