MCP ExplorerExplorer

Command Mcp

@keyfactor-researchon 10 days ago
4 MIT
FreeCommunity
AI Systems
MCP server for Command built on the Analytics & AI team's Python SDK

Overview

What is Command Mcp

command-mcp is an MCP server designed for Command, built on the Keyfactor Analytics & AI team’s Python SDK. It is currently in a preview stage and is considered experimental software.

Use cases

Use cases for command-mcp include automating certificate enrollment processes, managing certificate revocation, retrieving certificate metadata for compliance purposes, and conducting certificate searches to ensure security and compliance.

How to use

To use command-mcp, download the repository, set up an account in Keyfactor Command with the necessary permissions, and configure environment variables in the specified file. Users can then execute various operations such as retrieving license information, enrolling certificates, and revoking certificates.

Key features

Key features of command-mcp include the ability to retrieve certificate details, enroll certificates using PFX or CSR, revoke certificates, and query certificates with sorting options. It also allows users to get metadata fields and module information.

Where to use

command-mcp is used in environments that require certificate management and security, particularly in organizations utilizing Keyfactor Command for their digital certificate lifecycle management.

Content

⚠️PREVIEW: Not recommended for production

Command-MCP

MCP server for Command built on the Keyfactor Analytics & AI team’s Python SDK. This preview is experimental software and users are discouraged from providing AI tools with access to your production data. This software is provided as-is and no support SLA applies to this MCP server.

Prerequisites

  1. Keyfactor Command version 11 or higher
  2. Claude for Desktop
  3. Python 3

Operations and Required Permissions

  1. get_license. Retrieves information about functionality license in Keyfactor Command, and serves as a basic connectivity test. Required permissions: None.
  2. get_certificate_details_by_id. Retrieves a certificate and associated metadata by cert id. If Command Risk Intelligence is enabled, includes risk data. Required permissions: Certificates: Collections: Read.
  3. enroll_certificate. PFX enrollment using provided subject and DNS SANs. Required Permissions: Certificates: Enrollment: PFX.
  4. enroll_csr. Enrollment using a CSR provided to the MCP client. Required Permissions: Certificates: Enrollment: CSR.
  5. revoke_certificate. Revoke a certificate by its certificate id. Required Permissions: Certificates: Collections: Revoke.
  6. get_metadata_fields. Retrieve a list of all metadata fields and definitions present in Command. Required Permissions: Metadata: Types: Read.
  7. query_certificates. Run a certificate search query to retrieve any matching certificates, with additional options including sorting. Required Permisisons: Certificates: Collections: Read.
  8. get_module_info_for_mcp. Does not use Command API. Returns a static definition describing the Command MCP Server.

Installation

  1. Download this repo. These directions assume a download to “C:\mcp.”
  2. Create or identify an account in Command that has the required permissions to perform any operation you intend to use.
  3. Put envvars in C:\mcp\mcpenv.txt. One line each, using information from your Command environment and the account you created:
    Basic auth:
      KEYFACTOR_HOSTNAME=‘…’
      KEYFACTOR_TOKEN=‘…’
      KEYFACTOR_TEMPLATE=‘WebServer’
      KEYFACTOR_CA=‘kftrain.keyfactor.lab\keyfactor-KFTRAIN-CA’
    OAuth:
      KEYFACTOR_HOSTNAME=…
      KEYFACTOR_URLBASE=Keyfactor/API
      COMMAND_IDP_TOKENURL=…
      COMMAND_IDP_CLIENTID=…
      COMMAND_IDP_CLIENTSECRET=…
      COMMAND_IDP_AUDIENCE=…
      KEYFACTOR_TEMPLATE=Server_tlsServerAuth-1y
      KEYFACTOR_CA=http://ejbca-ca.jdk-2025-may.svc.cluster.local:8082/ejbca\\Sub-CA
  4. Run this command (you may need to use “pip3” if pip is pointing at Python 2.x):
    pip install requests oauthlib httpx attrs python-dateutil uv
  5. Test that this command will run from CLI and print “Initializing MCP server”:
    uv --directory C:\\mcp run --env-file=C:\\mcp\\mcpenv.txt commandmcp.py
  6. In Claude, press Ctrl+Comma to open settings, go to developer, and click “edit config”. Put this in claude_desktop_config.json in the folder it takes you to:
    { "mcpServers": { "keyfactorCommand": { "command": "uv", "args": [ "--directory", "C:\\mcp", "run", "--env-file=C:\\mcp\\mcpenv.txt", "commandmcp.py" ] } } }
  7. In Claude, go to Settings->Integration and make your desired selections about enabled operations and when Claude should ask for permission. It is recommended to have Claude ask before each use of the enrollment and revocation functions, at minimum.

Notes

  • ⚠️ This preview software is considered experimental and is not recommended for production use.
  • For security purposes, this MCP server is deployed as a local MCP server to a client like Claude for Desktop.
  • Template and CA parameters to be used for enrollment must be specified as environment variables to the MCP server to scope MCP clients to only the intended enrollment types. Permissions and availability must be set on this template and CA.
  • See comments in “commandmcp.py” or interrogate your MCP client for additional details on implemented operations.
  • See the Keyfactor Command Reference Guide for information on Keyfactor Command and required permissions.

Tools

No tools

Comments