Skip to main content

Use the MCP server to connect third-party AI tools

The Model Context Protocol (MCP) server for DigiCert​​®​​ Trust Lifecycle Manager acts as a bridge between AI models and DigiCert. The MCP server includes a curated set of Trust Lifecycle Manager APIs, enabling use of natural language to query and manage your account data in a secure, permissioned manner.

For example, by connecting to the MCP server from an IDE environment like VS code, you can use the IDE's integrated AI tools to list certificates, check certificate status, or perform basic metadata management actions for your Trust Lifecycle Manager account.

Important

To ensure that only approved actions can be performed, the MCP server controls which specific API endpoints are available and requires authentication using an API key with permission to access those endpoints.

Before you begin

  • The MCP server is currently only available for customers in the United States using the DigiCert® ONE production environment (one.digicert.com).

  • The URL for the MCP server is https://mcp.digicert.com/trust-lifecycle-manager.

  • To authenticate to the MCP server, you need an API key for a user or service user in DigiCert ONE with access to Trust Lifecycle Manager and the following user roles (or equivalent permissions) at minimum:

    • View only: To use the read-only inventory analysis functions.

    • Certificate owners manager: To manage certificate owners through the MCP server.

    • User and certificate manager: To assign certificate tags through the MCP server. The only individual permission that's required is Manage Certificates.

Best practices for using the MCP server

Follow these tips to get the best results from the MCP server:

  • When querying multiple sources, tag your prompts with "TLM" to help identify the correct MCP server.

  • To query a specific API endpoint, the API key used for authentication must be for a user or service user with permission to access that endpoint.

  • To query and manage inventory metadata, include your Trust Lifecycle Manager account ID (UUID) in the initial prompt of each chat session.

  • For endpoints that require parameters beyond the account ID, provide the additional UUID and parameter values within each prompt.

MCP server capabilities

The MCP server supports the following capabilities for analyzing and managing the data in your Trust Lifecycle Manager account.

Documentation information

Use semantic search to find on-demand information about Trust Lifecycle Manager features from the public documentation.

Example prompts:

  • What connectors are available for TLM

  • TLM: How are certificate owners used

Seat statistics

Find information about seat usage in your account.

Example prompts:

  • How many user seats in my TLM account

  • How many seats in my TLM account are inactive

Inventory analysis

Search for certificates that match the criteria you specify.

Example prompts:

  • Give me certs expiring in the next month

  • How many certs issued for the example.com domain

Inventory metadata management

Get information about and manage certificate owners and tags.

Example prompts:

  • Get certificate owner details for ID 5bcd1822-cc14-4563-a565-607a6385c3f2

  • Update certificate owner ID 5bcd1822-cc14-4563-a565-607a6385c3f2 to have email sre.admin@example.com

  • For certs issued in January 2025, add tag: january-mcp

API endpoints

The MCP server interacts with the following public API endpoints for Trust Lifecycle Manager.

Read-only APIs

The following endpoints provide read-only access to data in your Trust Lifecycle Manager account.

API endpoint

Description

Required parameters

GET /mpki/api/v1/certificate-search

List details about certificates in your inventory.

GET /mpki/api/v1/certificate-owners

Get information about certificate owners in your account by ID.

  • Account ID

  • Certificate owner ID to query

GET /mpki/api/v1/seat

Get a list of seat records in your account.

GET /mpki/api/v1/seat-types

Get information about available seat types.

Metadata management APIs

The following endpoints support management of certificate metadata in your Trust Lifecycle Manager account.

API endpoint

Description

Required parameters

POST /mpki/api/v1/certificate/tag/bulk-add

Add tags to one or more certificates by ID.

  • Account ID

  • Certificate IDs to tag

  • Tags to add to the certificates

PUT /mpki/api/v1/certificate-owners/{certificate_owner_id}

Update certificate owner details by ID. The new email address for the owner contact is always required. To update the owner's name, provide the new first and/or last name in your prompt as well.

  • Account ID

  • Certificate owner ID to update

  • New email address for the owner contact

IDE configuration examples

Follow these instructions to configure your IDE environment to include the MCP server for Trust Lifecycle Manager. After adding the MCP server, you can use the IDE's integrated AI chatbot to query your inventory data.

Important

For additional details and the most current MCP configuration steps, refer to the official documentation for your IDE platform.

VS Code

To configure your VS Code environment to use the MCP server for Trust Lifecycle Manager:

  1. From the VS Code menu bar, select View > Command Palette. The Command Palette opens at the top of the VS Code window.

  2. In the Command Palette, search for MCP: Add Server and select it.

  3. When prompted to choose a transport type, select HTTP.

  4. Enter the following server URL, then press Enter: https://mcp.digicert.com/trust-lifecycle-manager

  5. Enter a name for the MCP server, for example: TLM-MCP-server

  6. If prompted, select the scope for MCP server availability:

    • Global: The MCP server is available in all workspaces.

    • Workspace: The MCP server is available only in the selected workspace.

  7. In the generated mcp.json file, add your API key as a request header. The updated file should look something like this:

    {
        "servers": {
                "TLM-MCP-server": {
                        "url": "https://mcp.digicert.com/trust-lifecycle-manager",
                        "type": "http",
                        "headers": {
                                "x-api-key": "API-KEY-HERE"
                        }
                }
        },
        "inputs": []
}

    Note: Replace API-KEY-HERE with your actual API key.

    Important

    API keys must be provided exactly as issued. Do not wrap the key in {} or quotes beyond JSON string quotes. Do not include whitespace or line breaks.

  8. Save the mcp.json file.

  9. In the Command Palette, enter the MCP server name, and then select the Settings icon next to it.

  10. Select Start Server.

  11. To verify availability of the MCP server, open the Command Palette again and select MCP: List Servers.

  12. To start querying the MCP server, open Copilot Chat in VS Code by selecting the Chatbot icon located in the search bar.

    Note

    AI features in Visual Studio Code are available through the chatbot and are only accessible to logged-in users. To use this feature, you must log in to Copilot using a GitHub account or another supported account.

  13. Once the chatbot is open, select Agent mode from the Mode dropdown at the bottom of the chat window. Enter the MCP server name preceded by #, add a space, and then enter your query in natural language.

    Note

    Using # with the MCP server name is optional. DigiCert recommends using this method when multiple MCP servers are running.

  14. Select a Copilot model that supports tools. The default models are sufficient, and no manual model configuration is required.

  15. The MCP server starts executing the query by planning and selecting the appropriate internal tool. It may prompt you for consent to execute the tool action. Select Allow or Allow Always for this MCP server.

    Note

    The system does not execute the API call without approval.

Cursor

To configure your Cursor environment to use the MCP server for Trust Lifecycle Manager:

  1. From the Cursor menu bar, select View > Command Palette. The Command Palette opens at the top of the VS Code window.

  2. In the Command Palette, select View: Open MCP Settings.

  3. Select the New MCP Server button.

  4. Replace the existing JSON configuration with the following:

    {
  "mcpServers": {
    "TLM-MCP-server": {
      "url": "https://mcp.digicert.com/trust-lifecycle-manager",
      "transport": "sse",
      "headers": {
        "x-api-key": "API-KEY-HERE"
      }
    }
  }
}

    Note:

    • Adjust the name TLM-MCP-server as needed.

    • Replace API-KEY-HERE with your actual API key.

      Important

      API keys must be provided exactly as issued. Do not wrap the key in {} or quotes beyond JSON string quotes. Do not include whitespace or line breaks.

  5. Open the MCP settings again from the Command Palette and verify that the MCP server is listed and the toggle switch is enabled.

  6. To start querying the MCP server, open the AI Plane in Cursor by selecting the Toggle AI Plane button located in the top-right corner of the Cursor IDE.

  7. From the Switch Agent Mode dropdown, select Agent.

  8. Select a model from Switch Model if needed. The default Auto mode is sufficient to interact with MCP servers.

  9. In the AI Plane chat input box, enter your prompt.

  10. The MCP server starts executing the query by planning and selecting the appropriate internal tool. It may prompt you to consent to execute a tool action. Select Allow or Allow Always for this MCP server.

    Note

    The system does not execute the API call without approval.

  11. Select Run to invoke the tool. The result is displayed in the chat window.

In this section: