Model Context Protocol - dogtagpki/pki GitHub Wiki

Overview

Warning
 This feature is still under development. Do not use in production.

PKI server provides an MCP server that can be used by an MCP client to access PKI services using LLM. Currently the MCP server is still a prototype so it’s only available as a source and not included in the distribution.

Prerequisites

Installing Dependencies

$ dnf install -y pip
$ pip install uv

Installing MCP Server

The MCP server can be used directly from its source directory at base/server/mcp. If necessary, the source directory can be copied into a different directory (e.g. /usr/share/pki/server/mcp).

Installing LLM

To install Ollama with LLama 3.2:

$ curl -fsSL https://ollama.com/install.sh | sh
$ ollama run llama3.2

Installing MCP CLI

The MCP CLI can be used directly from the source:

$ git clone https://github.com/chrishayuk/mcp-cli.git

Configuring MCP CLI

To configure MCP CLI, open the server_config.json in its source directory and replace the content with the following:

{
  "mcpServers": {
    "pki-server": {
      "command": "uv",
      "args": [
        "--directory",
        "/usr/share/pki/server/mcp",
        "run",
        "main.py"
      ]
    }
  }
}

Note: Make sure the --directory parameter points to MCP server’s source directory.

Finding CA Users

To find CA users, run the following command in MCP CLI’s source directory:

$ uv run mcp-cli cmd \
    --provider=ollama \
    --model=llama3.2 \
    --server pki-server \
    --prompt "show me all users in CA subsystem"
...
Processing request of type CallToolRequest
Here is the list of users in the CA subsystem:

* CA-pki.example.com-8443 (agent)
* caadmin (admin)

Continuous Integration

The MCP server is automatically tested in CI:

The test is disabled by default. To enable the test add a GitHub variable called MCP_TESTS_ENABLED and set it to true.

See also the latest test execution.

Current Limitations

  • Some of the dependencies are not available in Fedora.

  • The MCP server uses pki-server CLI so it only works with local CA.

  • The MCP server uses STDIO transport so it only works with local MCP CLI.

  • The MCP CLI only supports local Ollama.

  • There’s no guarantee that the prompt will trigger the proper call in MCP server.

  • There’s no guarantee that the output will be consistent so it’s more difficult to verify.

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
⚠️ **GitHub.com Fallback** ⚠️