@teamnetwork-nz/sslstore-mcp-server
v0.4.1
Published
MCP server for the SSLStore (The SSL Store) certificate API — manage the full SSL/TLS certificate lifecycle from Claude
Maintainers
Readme
sslstore-mcp-server
MCP server for The SSL Store certificate API. Manage the full SSL/TLS certificate lifecycle — order, validate, download, reissue, and revoke certificates — directly from Claude or any MCP-compatible client.
Features
- Browse the product catalogue and pricing
- Generate RSA private keys and CSRs locally (key never leaves the machine)
- Place, track, query, and search certificate orders
- Complete prepaid "Incomplete" orders by Token — reissue against an existing certificate or renew/issue while preserving remaining validity
- Download issued certificate files (leaf, CA bundle, intermediates, roots) in PEM, with optional PKCS7 chain
- Use any order ID — the partner portal order ID, internal SSL Store ID, partner ID, or your custom reference all resolve automatically
- Reissue and revoke certificates
- Manage domain control validation (DCV) — resend or change approver emails, switch to DNS/HTTP validation
- Bundle certificates into PFX/PKCS12 for Windows / IIS / Azure
- Configure order status webhooks
- Sandbox and read-only modes for safe exploration
- Local-timezone date display — all API dates converted to your local time automatically
Requirements
- Node.js 18+
- An SSL Store partner account — sign up here
Installation
npm install -g sslstore-mcp-serverOr run directly with npx (no install needed):
npx sslstore-mcp-serverConfiguration
All configuration is via environment variables.
| Variable | Required | Default | Description |
|---|---|---|---|
| SSLSTORE_PARTNER_CODE | Yes | — | Your SSL Store partner code |
| SSLSTORE_AUTH_TOKEN | Yes | — | Your SSL Store auth token |
| SSLSTORE_SANDBOX | No | true | Set to false to use the live API |
| SSLSTORE_READONLY | No | true | Set to false to enable write operations |
| SSLSTORE_KEY_DIR | No | ./keys | Directory where generated private keys are saved |
| DATETIMEFORMAT | No | local | Timezone for date display. local = system timezone; any IANA name (e.g. Pacific/Auckland, America/New_York) pins a specific zone |
Defaults are safe: the server starts in sandbox + read-only mode. You must explicitly set
SSLSTORE_SANDBOX=falseandSSLSTORE_READONLY=falseto place real orders.
MCP client setup
Claude Code
Add to your project's .mcp.json or user-level MCP config:
{
"mcpServers": {
"sslstore": {
"command": "npx",
"args": ["sslstore-mcp-server"],
"env": {
"SSLSTORE_PARTNER_CODE": "your-partner-code",
"SSLSTORE_AUTH_TOKEN": "your-auth-token",
"SSLSTORE_SANDBOX": "false",
"SSLSTORE_READONLY": "false",
"DATETIMEFORMAT": "Pacific/Auckland"
}
}
}
}Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"sslstore": {
"command": "npx",
"args": ["sslstore-mcp-server"],
"env": {
"SSLSTORE_PARTNER_CODE": "your-partner-code",
"SSLSTORE_AUTH_TOKEN": "your-auth-token",
"SSLSTORE_SANDBOX": "false",
"SSLSTORE_READONLY": "false",
"DATETIMEFORMAT": "Pacific/Auckland"
}
}
}
}Agent guidance
The server supplies MCP instructions that are automatically delivered to the calling agent at session start. These cover:
- Mode awareness — sandbox vs live, read-only vs read-write, which tools are available
- Order IDs — any order ID variant (portal, internal, partner, custom) is accepted and resolved automatically; responses report the portal-visible ID
- Datetime format — accepted input formats (YYYY-MM-DD or MM/DD/YYYY), timezone-aware output
- Typical workflow — step-by-step from credentials check through to certificate download
- DCV options — email, DNS, and HTTP validation; how to resend or switch method
- Irreversible operations — revocation warning, private key security
- Order searching — filtering by domain, status, expiry window
No special prompting is required — the agent receives these guidelines automatically.
Tools
Discovery
| Tool | Description |
|---|---|
| validate_credentials | Verify the API is reachable and credentials are valid |
| list_products | Browse available certificate products and pricing, optionally filtered by type (DV/OV/EV/Wildcard/Multi-Domain) |
| get_approver_list | Get valid DCV approver email addresses for a domain before ordering |
Key & CSR
| Tool | Description |
|---|---|
| create_certificate_request | Generate an RSA private key and CSR locally. The private key is saved to disk and never transmitted. Optionally validates the CSR via the API. |
Orders
| Tool | Description |
|---|---|
| submit_order | Place a new certificate order (requires SSLSTORE_READONLY=false) |
| submit_pending_order | Complete a prepaid "Incomplete" order by Token — reissue against an existing order, or renew/issue using the prepaid order (requires SSLSTORE_READONLY=false) |
| get_order_status | Track fulfilment status and domain validation progress |
| query_order | Retrieve full order details including contacts and organisation info |
| search_orders | Search and filter orders by domain, status, date range, or expiry window |
| reissue_certificate | Reissue an existing order with a new CSR (requires SSLSTORE_READONLY=false) |
| revoke_certificate | Revoke an issued certificate — irreversible (requires SSLSTORE_READONLY=false) |
Domain Control Validation
| Tool | Description |
|---|---|
| resend_approver_email | Resend the DCV email or switch to DNS/HTTP validation (requires SSLSTORE_READONLY=false) |
| change_approver_email | Permanently change the approver email and trigger a new validation email (requires SSLSTORE_READONLY=false) |
Certificate files
| Tool | Description |
|---|---|
| download_certificate | Download the issued certificate and chain files (PEM; optional PKCS7 chain via pkcs7). Can optionally save to disk. |
| create_pfx | Bundle a certificate, CA chain, and private key into a PFX/PKCS12 file for Windows/IIS/Azure |
Settings
| Tool | Description |
|---|---|
| set_order_callback | Configure a webhook URL for order status notifications (requires SSLSTORE_READONLY=false) |
Typical workflow
1. validate_credentials — confirm API access
2. list_products — find the right product code
3. get_approver_list — get valid DCV emails for your domain
4. create_certificate_request — generate key + CSR for your domain
5. submit_order — place the order
6. get_order_status — poll until status is ACTIVE
7. download_certificate — save the issued cert
8. create_pfx — bundle for deployment (optional)Prepaid "Incomplete" orders
If you prefer to keep control of the purchase (a financial transaction) and place the order manually in the partner portal, the result is an "Incomplete" order — visible to the API via search_orders / get_order_status as MajorStatus Pending/Initial, with no domain or CSR attached yet. This is the state immediately after purchase, before any CSR submission.
Each such order has a Token shown in the portal as <TokenID>#!<TokenCode>. Give this token to the agent along with the CSR and contact details, and use submit_pending_order with an explicit action:
reissue— the hostname already has a certificate with remaining validity; the CSR is applied to that existing order (no change to validity), and the prepaid token order stays available for later.renew— extend validity using the prepaid order. If an existing order for the hostname is within its renewal window (~1 month before expiry), it's renewed (validity preserved/extended). If it's found but not yet eligible, the tool refuses and warns instead of placing a throwaway new order. If no existing order exists, the prepaid order is completed as a new certificate.
Order IDs
An SSL Store order carries several identifiers:
| ID | Where you see it |
|---|---|
| VendorOrderID | The order ID shown in the partner portal |
| TheSSLStoreOrderID | Internal SSL Store ID — the only one the underlying API accepts |
| PartnerOrderID | Assigned by the CA/vendor side |
| CustomOrderID | Your own reference, if supplied at order time |
Every tool that takes an order_id accepts any of these. The server resolves it to the internal ID automatically (via the order search endpoint, cached per process), so you can work with the order number you see in the partner portal. Responses report the portal-visible ID as order_id and the internal ID as thesslstore_order_id.
Date handling
All dates are shown in the timezone configured by DATETIMEFORMAT. Dates you supply as input (e.g. search date ranges) are accepted in YYYY-MM-DD or MM/DD/YYYY format and sent to the API correctly. API responses in UTC are automatically converted for display.
Development
git clone https://github.com/TEAMnetwork-NZ/sslstore-mcp.git
cd sslstore-mcp
npm install
npm run dev # watch mode with tsx
npm run build # compile to dist/
npm run typecheck # type check without emittingLicense
MIT
