Command

You can run the Command-MCP Server locally to manage Keyfactor Command operations through a Python-based MCP client. This preview exposes a set of certificate and metadata operations, enabling enrollment, revocation, and certificate queries in a controlled local environment with your Command permissions.

How to use

You will run the MCP server as a local process and connect your MCP client to it. The server implements operations to retrieve license information, inspect certificates, enroll new certificates (PFX or CSR), revoke certificates, fetch metadata fields, and run certificate searches. Ensure you have the right permissions in Keyfactor Command for the actions you intend to perform.

How to install

Prerequisites you need before installation:

• Keyfactor Command version 11 or higher
• Claude for Desktop (for client interactions)
• Python 3

Follow these concrete steps to install and run the MCP server locally:

1. Prepare a working directory for the MCP files, e.g. create a folder named mcp on your drive.

2. Create or identify a Command user account with the permissions needed for your intended operations (see operation list for required permissions).

3. Create environment variable file at C:\mcp\mcpenv.txt and populate it with your Command environment details. For example (fill in your actual values):

Basic auth:
    KEYFACTOR_HOSTNAME='...'
    KEYFACTOR_TOKEN='...'
    KEYFACTOR_TEMPLATE='WebServer'
    KEYFACTOR_CA='kftrain.keyfactor.lab\\keyfactor-KFTRAIN-CA'
OAuth:
    KEYFACTOR_HOSTNAME=...
    KEYFACTOR_URLBASE=Keyfactor/API
    COMMAND_IDP_TOKENURL=...
    COMMAND_IDP_CLIENTID=...
    COMMAND_IDP_CLIENTSECRET=...
    COMMAND_IDP_AUDIENCE=...
    KEYFACTOR_TEMPLATE=Server_tlsServerAuth-1y
    KEYFACTOR_CA=http://ejbca-ca.jdk-2025-may.svc.cluster.local:8082/ejbca\\Sub-CA
"}],

4. Install Python dependencies used by the MCP server runtime.

pip install requests oauthlib httpx attrs python-dateutil uv

# If you need to use pip3 explicitly on some systems, substitute `pip3` for `pip`.

5. Start a test run from the command line to verify the MCP server prints an initialization message.

uv --directory C:\mcp run --env-file=C:\mcp\mcpenv.txt commandmcp.py

6. If you use Claude for Desktop, configure the client to invoke the MCP server with the following settings. This enables the client to run the MCP when you trigger commands from Claude.

{ 
  "mcpServers": {
    "keyfactorCommand": {
      "command": "uv",
      "args": [
        "--directory",
        "C:\\mcp",
        "run",
        "--env-file=C:\\mcp\\mcpenv.txt",
        "commandmcp.py"
      ]
    }
  }
}

Additional sections

Configuration and security notes keep your setup safe and predictable. The MCP server is intended to run in a local environment, with environment variables used to scope operations to the intended enrollment types. Ensure you set permissions for each operation (enrollment, revocation, and query) in Keyfactor Command to match your security requirements.

Operations exposed by the server include retrieving the license, getting certificate details by ID, enrolling certificates (PFX and CSR), revoking certificates, retrieving metadata fields, and querying certificates. A static module info endpoint is available for MCP server capabilities.

If you encounter issues, verify that your environment variables file is correctly formatted, the Command user has the necessary permissions, and that Claude or your MCP client is configured to target the local MCP server at the path you specified.

Notes

This preview software is experimental and intended for local testing with a client like Claude for Desktop. It is not recommended for production use.

All template and CA parameters used for enrollment must be defined via environment variables to ensure MCP clients are scoped to the intended enrollment types. Permissions and availability should be configured on the template and CA.

For further details on the available operations and required permissions, refer to the Keyfactor Command reference for information on each endpoint and capability.

Tools and operations

The MCP server exposes a set of operations you can perform through your MCP client. These include the following built-in functions:

• get_license: Retrieve information about the functionality license in Keyfactor Command and test connectivity.
• get_certificate_details_by_id: Retrieve a certificate and metadata by certificate ID; includes risk data if Command Risk Intelligence is enabled.
• enroll_certificate: Enroll a certificate via PFX using a provided subject and DNS SANs.
• enroll_csr: Enroll using a CSR provided to the MCP client.
• revoke_certificate: Revoke a certificate by its ID.
• get_metadata_fields: Retrieve all metadata fields and definitions in Command.
• query_certificates: Execute a certificate search query with optional sorting.
• get_module_info_for_mcp: Returns a static definition describing the MCP server.

Available tools

get_license

Retrieves information about functionality license in Keyfactor Command and serves as a basic connectivity test.

get_certificate_details_by_id

Retrieves a certificate and associated metadata by cert id, including risk data if Command Risk Intelligence is enabled.

enroll_certificate

Performs PFX enrollment using provided subject and DNS SANs.

enroll_csr

Enrolls a certificate using a CSR provided to the MCP client.

revoke_certificate

Revokes a certificate by its certificate id.

get_metadata_fields

Retrieves a list of all metadata fields and definitions present in Command.

query_certificates

Runs a certificate search query to retrieve matches with optional sorting.

get_module_info_for_mcp

Returns a static definition describing the MCP Server