All deployments of the ThingWorx server have the same embedded certificate that is used by default. A custom certificate can be used by providing its location and password in the fields of the Always On Settings mentioned.
In addition, it is also possible to tell the EMS to reject self-signed certificates. The default is for it to accept them though, so that it will work with the default cert we provide. To override this, add the following line to your config.lua:
agent.reject_selfsigned_cert = true