Plans & pricing Coming soon
The four read-only audit tools are free, no license, no payment, live today. The three tools that change a binding need a paid tier; checkout for those isn’t live yet.
No license needed.
- The four read-only audit tools (full list below)
- Runs locally, stdio, PowerShell
- Works with Claude Code or any MCP client
- No license key, ever
For one person.
- Adds the two binding tools, for SQL Server and Reporting Services (full list below)
- Licensed for one person
- Everything in Free
For a team.
- Adds the full reserve → bind → restart → verify orchestrator (full list below)
- Licensed for your team
- Everything in Starter
Same tools as Professional.
- Same tool access as Professional
- Everything in Professional
Free, read-only: inventory and check what’s bound today. Nothing here changes anything.
| Tool | What it does |
|---|---|
get_rs_http_config | Inventory a Reporting Services HTTPS surface: reserved URLs, SSL bindings, registered URLs |
test_rs_https_endpoint | Confirm an RS endpoint actually serves over HTTPS, GETs it, validates the served cert’s SAN and thumbprint |
test_sql_cert_binding | Report the TLS cert bound to a SQL Server instance from the registry: thumbprint, ForceEncryption, expiry |
test_rs_cert_binding | Report the TLS cert bound to an RS endpoint via WMI |
Paid, state-changing: these bind, reserve, and restart. Called without a license, each returns a clear message saying so instead of a bare error.
| Tool | Tier | What it does |
|---|---|---|
set_sql_cert_binding | Starter+ | Bind a cert to a SQL Server instance via the registry, restart to apply |
set_rs_cert_binding | Starter+ | Bind a cert to an RS endpoint via WMI |
install_rs_connection_certificate | Professional+ | Full orchestration: reserve URL, bind, restart, then verify it actually serves |
SqlCertForge acts on your SQL Server or Reporting Services host, locally or on a remote node over -Node / -Credential.
- Point it at your instance: a SQL Server instance name, or an RS/PBIRS install
- It binds the cert: a registry write for SQL’s
SuperSocketNetLib, or a WMI call and URL reservation for RS, then restarts the service that has to pick it up - It checks its own work: hits the endpoint over HTTPS and reads back the served certificate’s thumbprint, rather than trusting that the bind command returned success
PowerShell, stdio, local only
The four read-only tools, running as a local PowerShell MCP server. No license, no payment, no network calls beyond the SQL/RS host you point it at.
C#, stdio or hosted
Same read-only tools stay free; the three binding tools need a license to run. Runs locally over stdio, or hosted for a team.
Tested live against a real Always On Availability Group and does not fully pass yet: a generic timeout, root cause not isolated. The cert-binding operations themselves are per-instance registry and WMI calls, identical whether the target is standalone or AG-joined, so the functional risk looks low, but this is a real open gap. Don’t take “tested against Always On” as a claim this page makes.
A hosted container option exists for team deployments. It doesn’t have TLS in front of it yet, so it’s not linked from this page as a production URL. Run the paid MCP locally over stdio today; the hosted path lands here once that’s fixed.
119 of 119 Pester tests passing (11 test files covering the underlying cert-binding logic). 41 of 41 xUnit tests passing (the C# MCP layer: tier-to-tool mapping, the license gate including real RSA sign/verify/tamper/expiry cases, and Stripe webhook signature verification). All seven tools have been exercised live against real SQL Server 2022, SSRS, and Power BI Report Server, with certificate rotation checked across four nodes.
SqlCertForge.MCP is the second in a line of single-purpose MCP servers, after ClusterValidator.MCP and before PesterForge.MCP.