Hi, I’m JD Kilgallin— I lead the Analytics & AI team here at Keyfactor. Over the past several months, I’ve had the privilege to work with some truly talented people and incredible technology that empowers our customers to establish and manage digital trust in ways we’ve never imagined.
In particular, the promise of Agentic AI – which has become a hot topic among CIOs, CISOs, and technical practitioners alike – is that teams can achieve new levels of automation using a wide variety of enterprise software through a single natural-language interface. One of the most exciting developments is the Model Context Protocol (MCP), an innovative standard rapidly gaining traction that allows an AI to access existing enterprise applications. In a way, it takes the AI ecosystem from smart to truly usable and actionable. Generative AI can talk; Agentic AI can do, using the Model Context Protocol. And now, one more thing it can do is to autonomously manage digital trust.
At Keyfactor, we’ve built our own MCP server, and we’re excited to share it with you today.
AI Meets PKI: Introducing the Command MCP Server
The Command MCP Server, now available in preview, seamlessly integrates AI models with the Keyfactor Command certificate lifecycle management platform. With this integration, AI-powered assistants like Claude can query, analyze, and even act on certificate data within Command. The result? Now teams can identify and remediate certificate-related issues within seconds, using simple conversational prompts and receiving in-depth interpretation of results.
Why does this matter?
As the use of digital certificates expands rapidly, it’s not unusual to see thousands, if not millions, across an organization’s digital footprint. But with growing volumes and shortening lifespans, teams need ever more advanced automation tooling to handle the workload of managing and orchestrating them at scale.
Keyfactor Command is designed to help organizations tackle this problem head on — delivering visibility, governance, and automation across their PKI and certificate landscape. But now imagine that users can perform these complex certificate management tasks, even without accessing the GUI. With this integration, they can. No longer is complex query construction required to answer questions like
“What are the riskiest certificates in my environment?”
“What production certificates expire in the next 30 days?”
“How many certificates did I issue in May compared to last year?”
“Did user ‘fjones’ issue any client authentication certificates in 2025? What was the most recent?”
A user’s AI assistant can answer this question for them conversationally, from the same interface as the user’s other Agentic AI workflows. If the certificate is found to be unsuitable, renewal can be as simple as typing “Revoke and replace”, allowing Claude to generate revocation comments and automatically transcribe subject information for the new request, completing the certificate lifecycle events through Keyfactor Command.
Powered by Risk Intelligence
Moreover, by leveraging data and insights from the new Command Risk Intelligence module, the Command MCP Server is a powerful tool to help organizations make sense of their top PKI risks. Users do not need to refer to highly technical documentation to understand the implications of messages like “CA certificate without basic constraints” or “certificate without AKID”. Claude can provide its own explanation of the issue, expanding on the Risk Intelligence insights in Command to make risks more actionable than ever. It can answer followup questions about the issues, helping to contextualize the risk and explain the practical impact to an enterprise security network at any length. And it can supplement the Risk Intelligence analysis with its own conclusions, making recommendations about the appropriate course of action. If revocation and/or renewal is required, Claude can perform this automatically, with the operations still fully covered by the security model and audit capabilities of Keyfactor Command. Claude can furthermore be configured to require explicit human approval before executing these operations, which is recommended to provide additional security. These product features help users to retain control of their certificate operations even in the AI Era.
In this demo, I briefly show how, using Claude for Desktop , I can complete this full lifecycle – identify risky certificates, understand why they pose a risk, then revoke and replace them via Command – all through plain English. No scripts. No manual steps. Just a conversation.
Making PKI simple— not just for the experts
This isn’t just a new feature, it’s an entirely new way to interact with Command: one that’s intuitive, intelligent, and incredibly powerful. Here are just a few ways that teams can benefit from using the Command MCP Server:
- Ask anything and get AI powered insights: Think of it as your own digital trust assistant, providing instant insights into your PKI and certificate landscape. The Command MCP Server can help you easily detect and assess risks at scale.
- Remediate critical vulnerabilities instantly: The Command MCP doesn’t just find risks, it helps you act on them. Plain language prompts like “Revoke and replace all certificates issued by EJBCA-dev-4 last week with risk score over 1000” take these actions from hours to seconds.
- Simplify PKI for everyone— not just experts: Make certificate management easy, regardless of technical proficiency, PKI knowledge, or even spoken language. Claude’s ability to explain the state of your PKI at any level and in many languages makes digital trust accessible.
Although still in early development, we’ve already begun to demonstrate its application across the rest of the Keyfactor product portfolio, including identifying risks in code-signing certificates within Keyfactor Signum, our SaaS-based secure code signing platform. The potential for fully autonomous configuration of identity certificates – on web servers, load balancers, network equipment, cloud workloads, and other systems – is enormous, and Keyfactor Command’s integration with Agentic AI via the Model Context Protocol is the best path to achieve this. We similarly envision a future where securely signing code with certificates in Signum and SignServer, generating keys and CSRs using Bouncy Castle, gaining deeper Intelligence from CipherInsights and AgileSec Analytics, and more are all possible through AI Agents.
The Command MCP Server marks a major step forward in our Agentic AI vision, empowering our customers with more intelligence, streamlined operations, and enhanced automation. The possibilities are truly endless, and we’re just getting started.
Ready to try it out?
Start today! The Command MCP server is currently available in GitHub, and details are accessible through our documentation. Oh, and that Claude instance in the video above? It’s the author of the documentation – who better qualified to document the Command MCP Server than the MCP Client who interacts with it directly? The documentation has been thoroughly reviewed by myself and other Keyfactor staff.
This functionality is currently in preview and should not be used in production environments. As this technology evolves and matures, we will continue to update and expand our coverage of use cases and supporting documentation.
Here’s to a bright and automated future!
