CertIndex MCP

official

The only certificate-transparency MCP server. Search 2.15B+ TLS certificates, monitor domains for new issuance, stream the global CT firehose to your agent.

What can you do with Cert Index MCP?

  • Search certificates by domain or fingerprint — Find TLS certificates using search_certificates with a domain name or SHA-256 fingerprint.
  • Retrieve full certificate details — Fetch PEM data, CT log metadata, and parsed fields for a specific cert with get_certificate.
  • List all certificates for a domain — Get every cert ever issued for a domain using get_domain_certificates.
  • Discover subdomains from CT logs — Enumerate subdomains observed in certificates for a given domain via get_subdomains.
  • Check the most recent certificate — Retrieve the latest issued certificate for a domain with get_latest_cert.
  • Find certificates nearing expiration — Identify certs expiring within a specified number of days using get_expiring_certs.

Documentation

certindex-mcp

CI PyPI License: MIT

An MCP (Model Context Protocol) server that exposes CertIndex's Certificate Transparency search tools to any MCP-compatible client (Claude Desktop, the MCP Inspector, Continue, etc.).

CertIndex indexes the full public CT corpus (~5 M certificates, growing ~100 k/day). This server wraps the public CertIndex REST API so an LLM can ask questions like:

  • "List every TLS certificate ever issued for example.com."
  • "What subdomains has Let's Encrypt seen for mycompany.io?"
  • "Show me certs expiring in the next 30 days for api.mycompany.io."
  • "Pull the full PEM and CT log metadata for SHA-256 <fingerprint>."

Why this repo exists

The CertIndex monorepo bundles an MCP server (mounted at https://api.ctindex.io/mcp) that talks directly to the production Postgres index. This standalone package is a thin client-side shim: it speaks MCP to your editor / agent and forwards every tool call to the hosted CertIndex REST API over HTTPS. Two consequences:

  1. You don't need a copy of the index — sign up for a free API key at https://ctindex.io and you're done.
  2. The package has a tiny dependency footprint (mcp, httpx, pydantic) — easy to audit, easy to vendor, no DB drivers.

Install

pip install certindex-mcp

Or with uvx for one-shot use:

uvx certindex-mcp

To install the latest development version from source instead:

pip install git+https://github.com/certindex/certindex-mcp

Quickstart — Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "certindex": {
      "command": "uvx",
      "args": ["certindex-mcp"],
      "env": {
        "CERTINDEX_API_KEY": "ctx_live_..."
      }
    }
  }
}

Restart Claude Desktop. The six CertIndex tools (search_certificates, get_certificate, get_domain_certificates, get_subdomains, get_latest_cert, get_expiring_certs) appear in the tool tray.

Quickstart — MCP Inspector

export CERTINDEX_API_KEY=ctx_live_...
npx @modelcontextprotocol/inspector uvx certindex-mcp

Configuration

Env varDefaultDescription
CERTINDEX_API_KEY(required)Your CertIndex API key. Mint one at https://ctindex.io/app/keys
CERTINDEX_BASE_URLhttps://api.ctindex.ioOverride for self-hosted deployments / staging
CERTINDEX_TIMEOUT30Per-request HTTP timeout (seconds)

Security

Input validation, rate-limit handling, and our supply-chain posture are documented in SECURITY.md. Please report vulnerabilities to security@ctindex.io rather than filing public issues.

Development

git clone https://github.com/certindex/certindex-mcp
cd certindex-mcp
pip install -e ".[dev]"
pytest

CI runs on Python 3.11 / 3.12 / 3.13.

License

MIT © CertIndex contributors.