Skip to content

Certificates and Security

OptimaGPT uses HTTPS to encrypt traffic between users, applications, and the Gateway. Configuring a TLS certificate allows browsers to trust the connection and removes security warnings.

Certificate management requires the Certificate Management permission.

Certificate status

The current certificate status is visible in Settings → Security. Two indicators are shown:

  • Certificate trusted / not trusted — Whether the installed certificate is issued by a trusted certificate authority. A self-signed certificate will show as not trusted.
  • Optima using HTTPS / HTTP only — Whether the Gateway is currently serving traffic over HTTPS.

Without a certificate configured, the Gateway runs on HTTP only. Browsers will flag this as insecure, and some features (such as clipboard access in the chat UI) may be unavailable.

Configuring a certificate

Certificates are configured from two places in the interface:

  • Configuration pageGateway Certificate section — Quick access to select or change the active certificate
  • Settings → Security → Manage Certificates — Full certificate management

Configuration page showing the Gateway Certificate section with a Select Certificate button and the currently active certificate name

Certificate management dialog or selector

Click Select Certificate (or Manage Certificates in Settings) to open the certificate selector.

Certificate types

OptimaGPT supports the following certificate formats:

  • PFX / PKCS#12 — A bundled file containing the certificate and private key (.pfx or .p12). Commonly exported from Windows Certificate Manager or a CA portal.
  • Windows Certificate Store — On Windows, you can select a certificate directly from the local machine's certificate store.

For most on-premises deployments, a certificate issued by your organisation's internal CA will provide trusted HTTPS across all machines on the network without browser warnings.

If you do not have an internal CA, a self-signed certificate can be used. Browsers will show a security warning on first visit, but the connection is still encrypted. Users will need to accept the warning or add an exception.

Gateway port

The port the Gateway listens on can be changed in Settings → General. The default is 443 (standard HTTPS). If port 443 is in use, OptimaGPT will fall back to an alternative port automatically.

After changing the port, restart the Gateway service for the change to take effect.

Note: Changing the port means users and applications will need to include the port number in the Gateway URL — for example, https://your-gateway:8443.