MCP server for Command built on the Keyfactor Analytics & AI team's Python SDK. This preview is experimental software and users are discouraged from providing AI tools with access to your production data. This software is provided as-is and no support SLA applies to this MCP server.
- Keyfactor Command version 11 or higher
- Claude for Desktop
- Python 3
- get_license. Retrieves information about functionality license in Keyfactor Command, and serves as a basic connectivity test. Required permissions: None.
- get_certificate_details_by_id. Retrieves a certificate and associated metadata by cert id. If Command Risk Intelligence is enabled, includes risk data. Required permissions: Certificates: Collections: Read.
- enroll_certificate. PFX enrollment using provided subject and DNS SANs. Required Permissions: Certificates: Enrollment: PFX.
- enroll_csr. Enrollment using a CSR provided to the MCP client. Required Permissions: Certificates: Enrollment: CSR.
- revoke_certificate. Revoke a certificate by its certificate id. Required Permissions: Certificates: Collections: Revoke.
- get_metadata_fields. Retrieve a list of all metadata fields and definitions present in Command. Required Permissions: Metadata: Types: Read.
- query_certificates. Run a certificate search query to retrieve any matching certificates, with additional options including sorting. Required Permisisons: Certificates: Collections: Read.
- get_module_info_for_mcp. Does not use Command API. Returns a static definition describing the Command MCP Server.
- Download this repo. These directions assume a download to "C:\mcp."
- Create or identify an account in Command that has the required permissions to perform any operation you intend to use.
- Put envvars in C:\mcp\mcpenv.txt. One line each, using information from your Command environment and the account you created:
Basic auth:
KEYFACTOR_HOSTNAME='...'
KEYFACTOR_TOKEN='...' KEYFACTOR_TEMPLATE='WebServer'
KEYFACTOR_CA='kftrain.keyfactor.lab\keyfactor-KFTRAIN-CA'
OAuth:
KEYFACTOR_HOSTNAME=...
KEYFACTOR_URLBASE=Keyfactor/API
COMMAND_IDP_TOKENURL=...
COMMAND_IDP_CLIENTID=...
COMMAND_IDP_CLIENTSECRET=...
COMMAND_IDP_AUDIENCE=...
KEYFACTOR_TEMPLATE=Server_tlsServerAuth-1y
KEYFACTOR_CA=http://ejbca-ca.jdk-2025-may.svc.cluster.local:8082/ejbca\\Sub-CA - Run this command (you may need to use "pip3" if pip is pointing at Python 2.x):
pip install requests oauthlib httpx attrs python-dateutil uv - Test that this command will run from CLI and print "Initializing MCP server":
uv --directory C:\\mcp run --env-file=C:\\mcp\\mcpenv.txt commandmcp.py - In Claude, press Ctrl+Comma to open settings, go to developer, and click "edit config". Put this in claude_desktop_config.json in the folder it takes you to:
{ "mcpServers": { "keyfactorCommand": { "command": "uv", "args": [ "--directory", "C:\\mcp", "run", "--env-file=C:\\mcp\\mcpenv.txt", "commandmcp.py" ] } } } - In Claude, go to Settings->Integration and make your desired selections about enabled operations and when Claude should ask for permission. It is recommended to have Claude ask before each use of the enrollment and revocation functions, at minimum.
⚠️ This preview software is considered experimental and is not recommended for production use.- For security purposes, this MCP server is deployed as a local MCP server to a client like Claude for Desktop.
- Template and CA parameters to be used for enrollment must be specified as environment variables to the MCP server to scope MCP clients to only the intended enrollment types. Permissions and availability must be set on this template and CA.
- See comments in "commandmcp.py" or interrogate your MCP client for additional details on implemented operations.
- See the Keyfactor Command Reference Guide for information on Keyfactor Command and required permissions.