SqlCertForge MCP

TLS certificate binding for SQL Server and Reporting Services, checked after the fact.

Binds a cert, reserves the URL, restarts the right service, then proves it: hits the endpoint afterward and checks the served thumbprint. The sequence people get wrong doing it by hand.

Plans & pricing Coming soon

The four read-only audit tools are free, no license, no payment, live today. The three tools that change a binding need a paid tier; checkout for those isn’t live yet.

Free

No license needed.

$0/mo
  • The four read-only audit tools (full list below)
  • Runs locally, stdio, PowerShell
  • Works with Claude Code or any MCP client
  • No license key, ever
Starter

For one person.

$79/mo
Payment link coming soon
  • Adds the two binding tools, for SQL Server and Reporting Services (full list below)
  • Licensed for one person
  • Everything in Free
Professional

For a team.

$499/mo
Payment link coming soon
  • Adds the full reserve → bind → restart → verify orchestrator (full list below)
  • Licensed for your team
  • Everything in Starter
Enterprise

Same tools as Professional.

$1,999/mo
Payment link coming soon
  • Same tool access as Professional
  • Everything in Professional
01 The seven tools

Free, read-only: inventory and check what’s bound today. Nothing here changes anything.

ToolWhat it does
get_rs_http_configInventory a Reporting Services HTTPS surface: reserved URLs, SSL bindings, registered URLs
test_rs_https_endpointConfirm an RS endpoint actually serves over HTTPS, GETs it, validates the served cert’s SAN and thumbprint
test_sql_cert_bindingReport the TLS cert bound to a SQL Server instance from the registry: thumbprint, ForceEncryption, expiry
test_rs_cert_bindingReport the TLS cert bound to an RS endpoint via WMI

Paid, state-changing: these bind, reserve, and restart. Called without a license, each returns a clear message saying so instead of a bare error.

ToolTierWhat it does
set_sql_cert_bindingStarter+Bind a cert to a SQL Server instance via the registry, restart to apply
set_rs_cert_bindingStarter+Bind a cert to an RS endpoint via WMI
install_rs_connection_certificateProfessional+Full orchestration: reserve URL, bind, restart, then verify it actually serves
02 How it works

SqlCertForge acts on your SQL Server or Reporting Services host, locally or on a remote node over -Node / -Credential.

  1. Point it at your instance: a SQL Server instance name, or an RS/PBIRS install
  2. It binds the cert: a registry write for SQL’s SuperSocketNetLib, or a WMI call and URL reservation for RS, then restarts the service that has to pick it up
  3. It checks its own work: hits the endpoint over HTTPS and reads back the served certificate’s thumbprint, rather than trusting that the bind command returned success
03 Free MCP and paid MCP
Free

PowerShell, stdio, local only

The four read-only tools, running as a local PowerShell MCP server. No license, no payment, no network calls beyond the SQL/RS host you point it at.

Paid

C#, stdio or hosted

Same read-only tools stay free; the three binding tools need a license to run. Runs locally over stdio, or hosted for a team.

04 Honest limits
Always On / WSFC listener creation

Tested live against a real Always On Availability Group and does not fully pass yet: a generic timeout, root cause not isolated. The cert-binding operations themselves are per-instance registry and WMI calls, identical whether the target is standalone or AG-joined, so the functional risk looks low, but this is a real open gap. Don’t take “tested against Always On” as a claim this page makes.

Hosted endpoint

A hosted container option exists for team deployments. It doesn’t have TLS in front of it yet, so it’s not linked from this page as a production URL. Run the paid MCP locally over stdio today; the hosted path lands here once that’s fixed.

05 Under test

119 of 119 Pester tests passing (11 test files covering the underlying cert-binding logic). 41 of 41 xUnit tests passing (the C# MCP layer: tier-to-tool mapping, the license gate including real RSA sign/verify/tamper/expiry cases, and Stripe webhook signature verification). All seven tools have been exercised live against real SQL Server 2022, SSRS, and Power BI Report Server, with certificate rotation checked across four nodes.

Where next

SqlCertForge.MCP is the second in a line of single-purpose MCP servers, after ClusterValidator.MCP and before PesterForge.MCP.

ClusterValidator →  ·  PesterForge MCP →  ·  All products →