CERT-MCP-SERVER
Integrates with Cloudflare DNS to automatically manage DNS records for ACME DNS-01 challenges, enabling certificate validation and renewal for domains hosted on Cloudflare.
Provides automated certificate issuance and renewal using Let's Encrypt's ACME protocol with DNS-01 challenges, allowing management of SSL/TLS certificates for multiple devices.
Allows management of SSL/TLS certificates on Linux devices via SSH, including importing, installing, renewing, and checking certificates on various services like nginx.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CERT-MCP-SERVERRequest and install Let's Encrypt cert for example.com on fw-01"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
CERT-MCP-SERVER
A standalone Python MCP (Model Context Protocol) server for managing SSL/TLS certificates across multiple device types using Let's Encrypt with Cloudflare DNS-01 challenges.
Features
Multi-Device Support: Manage certificates on FortiGate, FortiManager, FortiAnalyzer, Windows, and Linux devices
Let's Encrypt Integration: Automated certificate issuance using ACME protocol with DNS-01 challenges
Cloudflare DNS: Automatic DNS record management for certificate validation
30 MCP Tools: Comprehensive toolset for certificate lifecycle management
Dual Transport: Supports both STDIO (for MCP clients) and HTTP (REST API)
Related MCP server: @archawat/mcp-cloudflare
Supported Device Types
Device Type | Protocol | Authentication |
FortiGate | REST API | API Token / Username+Password |
FortiManager | JSON-RPC | API Token / Username+Password |
FortiAnalyzer | JSON-RPC | API Token / Username+Password |
Windows | WinRM/PowerShell | NTLM / Basic / Kerberos |
Linux | SSH | Password / SSH Key |
Installation
# Clone the repository
cd /home/twingate/CERT-MCP-SERVER
# Install with uv
uv sync
# Or install with pip
pip install -e .Configuration
Environment Variables
export CERT_MCP_CONFIG=/path/to/config.json
export CLOUDFLARE_API_TOKEN=your_cloudflare_token
export ACME_EMAIL=admin@example.com
export ACME_ACCOUNT_KEY_PATH=~/.acme/account.keyConfiguration File
Create a config.json file:
{
"server": {
"host": "0.0.0.0",
"port": 8815,
"name": "cert-mcp-server",
"version": "1.0.0"
},
"devices": {
"fortigate": {
"fw-01": {
"host": "192.168.1.1",
"api_token": "your_api_token",
"vdom": "root"
}
},
"linux": {
"nginx-01": {
"host": "192.168.1.10",
"username": "admin",
"ssh_key_path": "~/.ssh/id_rsa",
"service_type": "nginx"
}
}
},
"acme": {
"email": "admin@example.com",
"staging": false,
"account_key_path": "~/.acme/account.key"
},
"logging": {
"level": "INFO",
"console": true
}
}Usage
STDIO Mode (MCP Client)
# Run the server
uv run python -m cert_mcp.server
# Or use the entry point
cert-mcpHTTP Mode (REST API)
# Run the HTTP server
uv run python -m cert_mcp.server_http
# Or use the entry point
cert-mcp-httpThe HTTP server provides a REST API at http://localhost:8815.
MCP Tools (30 total)
Device Management (6)
list_devices- List all registered devicesadd_device- Add a new deviceremove_device- Remove a devicetest_device_connection- Test connectivityget_device_info- Get device detailslist_devices_by_type- Filter devices by type
Certificate Check (5)
list_certificates- List certificates on a deviceget_certificate_detail- Get certificate detailscheck_certificate_expiry- Check expiry statuscheck_all_expiring- Find all expiring certificatesverify_certificate_chain- Verify chain validity
Let's Encrypt (4)
request_certificate- Request new certificatelist_cloudflare_zones- List DNS zonesverify_cloudflare_token- Verify Cloudflare tokenget_acme_account_info- Get ACME account info
Certificate Install (4)
import_certificate- Import certificate to devicerequest_and_install- Request and install in one stepimport_ca_certificate- Import CA certificatecopy_certificate- Copy between devices
Certificate Replace/Renew (3)
replace_certificate- Replace existing certificaterenew_certificate- Renew with Let's Encryptauto_renew_check- Check and renew expiring certs
Certificate Delete (2)
delete_certificate- Delete from devicedelete_certificate_batch- Delete from multiple devices
FortiManager-Specific (4)
fmg_list_managed_devices- List managed FortiGatesfmg_get_certificates_all- Get certs from all managed devicesfmg_push_certificate- Push cert to managed devicesfmg_check_certificate_status- Check cert status on devices
System (2)
health_check- Server health statusget_server_info- Server information
MCP Client Configuration
Add to your MCP client configuration:
{
"mcpServers": {
"cert-mcp": {
"command": "uv",
"args": ["run", "--directory", "/home/twingate/CERT-MCP-SERVER", "python", "-m", "cert_mcp.server"],
"env": {
"CERT_MCP_CONFIG": "/path/to/config.json",
"CLOUDFLARE_API_TOKEN": "your_token"
}
}
}
}Examples
Request and Install Certificate
# Using MCP tool
await request_and_install(
device_id="fw-01",
domains=["example.com", "www.example.com"],
cert_name="example-cert",
staging=False
)Check Expiring Certificates
# Find all certificates expiring in 30 days
result = await check_all_expiring(days_threshold=30)Add a Device Dynamically
await add_device(
device_id="nginx-02",
device_type="linux",
host="192.168.1.20",
username="admin",
ssh_key_path="~/.ssh/id_rsa",
service_type="nginx"
)Development
# Install dev dependencies
uv sync --dev
# Run tests
uv run pytest
# Format code
uv run black src/
uv run ruff check src/License
MIT License
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/wouter-bon/CERT-MCP-SERVER'
If you have feedback or need assistance with the MCP directory API, please join our Discord server