Certificate work is mostly context-switching. You are deep in a deploy, a TLS error throws, and suddenly you are in a browser pulling up an online checker, then SSH-ing somewhere to run openssl s_client, then digging through your notes for the renewal command. The TLS Radar plugin for Claude Code collapses that into a sentence you type where you already are.
It is an open-source plugin (MIT licensed, on GitHub) that maps a handful of slash commands to MCP tools. Three jobs, none of which make you leave the editor: scan any domain, issue a free Let's Encrypt certificate through Beacon, and set up ongoing expiry monitoring.
Install
The plugin is pure configuration - no compiler, no Go toolchain, no ~/.local/bin to wire up. Clone it into Claude Code's plugin directory and run the built-in MCP command:
git clone https://github.com/TLS-Radar/tlsradar-claude-plugin ~/.claude/plugins/tlsradar
# then, inside Claude Code:
/mcpThat is the whole setup. Claude Code reads the config directly; there is nothing to build.
The commands
Each command maps to one MCP tool. The first two need no account at all.
/tls-scan example.com- free, anonymous SSL/TLS scan. Returns issuer, expiry, chain, negotiated ciphers, known vulnerabilities, and a shareable report URL. No login./tls-cert mydomain.dev- issue a free 90-day Let's Encrypt certificate via Beacon. Walks you through DNS validation and hands back a PKCS#12 bundle./tls-monitor add api.foo.io- add a domain to ongoing monitoring. The free plan watches one domain and warns 7 days before expiry./tls-expiring- everything expiring soon across your monitors. Defaults to a 30-day window, sorted by days remaining./tls-status- plan tier, monitors used, alerts used, scans today. Useful for deciding when a free plan has stopped being enough./tls-renew- reissue a Beacon certificate that is approaching expiry, same DNS-validated flow as/tls-cert.
Because the model picks the tool, you do not have to memorise any of this. "Is the cert on staging.foo.io about to expire?" lands on the same place as /tls-expiring.
Auth uses OAuth, not API keys
The commands that touch your account authenticate over standard OAuth 2.0. There is no key to paste into a dotfile and later leak. The flow runs once:
- Discovery. Claude Code fetches
/.well-known/oauth-authorization-serverfrom tlsradar.com to learn the endpoints and scopes. - Self-registration. The plugin registers itself as a public OAuth client via RFC 7591 - no manual key creation, no app-submission queue.
- Consent. Your browser opens to the authorize page, shows the requested scopes (read, write), and you approve. New here? Plugin signups go straight to the free plan, no trial.
- Token exchange. Authorization code plus PKCE (S256) exchanges for a bearer token. Refresh tokens rotate on use.
- Revoke any time. Pull the token at
tlsradar.com/oauth/authorized_applicationswhenever you want.
Free certificates via Beacon
/tls-cert is a front end to Beacon, which issues free 90-day Let's Encrypt certificates with a guided DNS-validation flow. No ACME client to install, no account required. You get a PKCS#12 bundle back, and the certificate belongs to whoever controls the domain, since validation happens over DNS.
For the command to run inline you set a Beacon plugin token in your shell. Without it, /tls-cert and /tls-renew fall back to opening Beacon's web form - the same certificate, just in your browser. The token is a traffic-identification cookie for per-source rate limiting, not a secret.
The practical use: your commercial CA renewal is still validating and the clock is running. /tls-cert gets a working certificate up in about ten minutes to stop the bleeding while the real one lands.
Monitoring without opening a dashboard
Scanning tells you about a certificate once. Monitoring tells you before it breaks. /tls-monitor add puts a domain under continuous watch, /tls-expiring surfaces what is coming due, and alerts reach you before the expiry date instead of from an angry customer.
The free plan covers one monitored domain with a 7-day warning window, which is enough to prove the model fits. Starter ($9.99/mo) lifts that to 10 monitors with hourly checks, and the paid tiers add Slack and webhook alerts and scale from there.
Why run this through MCP at all
Because the certificate context now lives next to the code context. You are not alt-tabbing to a web tool and copying a hostname across; you ask in plain English and the answer comes back in the same window where you are already working. For teams leaning into AI-native workflows, that is the difference between certificate hygiene being a thing you remember to do and a thing you just say out loud.
The plugin is free and open source. See the full command reference and install guide, or grab it from GitHub and run /mcp.
Get the next post in your inbox
TLS monitoring tips and product updates. No spam, unsubscribe anytime.
Keep reading
Managing Thousands of TLS Certificates: A Practical Framework
DigiCert CertCentral Alternatives: An Honest Comparison
The True Cost of a TLS Outage (And Why Calendars Won't Save You)
Related guides
-
What Is SSL/TLS Certificate Monitoring? A Complete Guide
A plain-English definition of SSL/TLS certificate monitoring, what it catches beyond expiry, and why shorter certificate lifespans are making it essential.