Keyfactor Command MCP Server
@keyfactor-research
The Keyfactor Command MCP (Model Context Protocol) server provides AI-powered access to Keyfactor Command, a comprehensive Certificate Lifecycle Management (CLM) and Public Key Infrastructure (PKI) automation platform. This server enables natural language interactions with X.509
Overview
What is Keyfactor Command MCP Server?
An experimental Model Context Protocol server for Keyfactor Command built on the Keyfactor Analytics & AI team’s Python SDK. It enables AI assistants like Claude for Desktop to interact with a Keyfactor Command instance (version 11 or higher) for certificate operations, using either basic or OAuth authentication.
How to use Keyfactor Command MCP Server?
Download the repository, create a Command account with the required permissions, set environment variables in a mcpenv.txt file (hostname, token/OAuth credentials, template, CA), install Python dependencies (requests, oauthlib, httpx, attrs, python-dateutil, uv), test the server from the CLI, then add it to Claude Desktop’s MCP configuration in claude_desktop_config.json.
Key features of Keyfactor Command MCP Server
- Retrieve license information and test connectivity
- Fetch certificate details by ID with optional risk data
- Enroll PFX certificates using subject and SANs
- Enroll certificates via CSR
- Revoke certificates by certificate ID
- Query certificates with search and sort options
- List metadata fields and definitions
Use cases of Keyfactor Command MCP Server
- Automate certificate enrollment and revocation through an AI chat interface
- Quickly look up certificate metadata and risk information
- Run certificate searches and inspections without Command’s Web UI
- Integrate certificate lifecycle management into AI‑powered workflows
FAQ from Keyfactor Command MCP Server
What operations are supported?
The server supports eight operations: get_license, get_certificate_details_by_id, enroll_certificate, enroll_csr, revoke_certificate, get_metadata_fields, query_certificates, and get_module_info_for_mcp. Each operation requires specific Command permissions.
Is this server ready for production?
No. This preview is explicitly experimental and not recommended for production use. It is provided as‑is without support SLA. Users are discouraged from giving AI tools access to production data.
How do I authenticate to Keyfactor Command?
Authentication can be done via Basic auth (using KEYFACTOR_HOSTNAME and KEYFACTOR_TOKEN) or OAuth (using KEYFACTOR_HOSTNAME, COMMAND_IDP_TOKENURL, COMMAND_IDP_CLIENTID, COMMAND_IDP_CLIENTSECRET, and COMMAND_IDP_AUDIENCE). All variables are set in an environment file.
What dependencies are required?
You need Keyfactor Command version 11 or higher, Claude for Desktop, Python 3, and the packages requests, oauthlib, httpx, attrs, python-dateutil, and uv.
Can the server be used remotely?
No. For security, the MCP server is deployed as a local MCP server to a client like Claude for Desktop. It is not intended for remote or shared use.