Set Up Certificate Monitoring
IDIAL can retrieve and evaluate the current certificate of an OPC UA device directly — without triggering a GDS Push. This is useful for checking certificate status, verifying fingerprints, or viewing remaining validity before a manual renewal. Additionally, a monitoring scheduler can be activated to periodically check all devices in the inventory.
Prerequisites
- The device is reachable over the network
- API key is available
Step 1 — Retrieve the Certificate of a Single Device
curl -s -X POST \
-H "X-API-Key: <api-key>" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.100",
"port": 4840,
"fingerprint": "SHA1",
"x509": true
}' \
https://<idial-host>:5000/gds/monitor/crt
Request Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
server | string | — | IP address or FQDN of the OPC UA server |
port | integer/string | 4840 | OPC UA port |
x509 | boolean | false | Include human-readable X.509 certificate details in the response |
fingerprint | string | — | Algorithm for the fingerprint: "SHA1" (case-insensitive) |
connection_security | boolean | false | Use secure OPC UA connection |
disable_crl_check | boolean | false | Skip CRL check |
Example Response
{
"url": "opc.tcp://192.168.1.100:4840",
"idial_time": "2026-03-30T14:22:05.123456",
"fingerprint": "A1:B2:C3:D4:E5:F6:07:08:09:10:11:12:13:14:15:16:17:18:19:20",
"security_policy": 8,
"security_mode": 2,
"x509": "Certificate:\n Subject: CN=OPC UA Server\n Issuer: CN=Internal CA\n Not Before: 2025-01-01\n Not After: 2027-01-01\n ..."
}
Response Fields
| Field | Description |
|---|---|
url | Full OPC UA connection URL. Only present if the device is registered in the inventory. |
idial_time | ISO 8601 timestamp of the retrieval time |
fingerprint | SHA-1 fingerprint in colon-separated hex format |
security_policy | Bitmask of active security policies (see Parameter Reference) |
security_mode | Active security mode (0=None, 1=Sign, 2=SignAndEncrypt) |
x509 | Human-readable X.509 certificate details (only when x509: true) |
Step 2 — Activate the Monitoring Scheduler (Optional)
The monitoring scheduler periodically checks all devices in the inventory and updates their certificate status in the database.
curl -s -X POST \
-H "X-API-Key: <api-key>" \
-H "Content-Type: application/json" \
-d '{
"monitor_scheduler_active": true,
"monitor_scheduler_scan_interval_sec": 600
}' \
https://<idial-host>:5000/systeminfo
| Parameter | Type | Default | Description |
|---|---|---|---|
monitor_scheduler_active | boolean | false | Enable/disable the monitoring scheduler |
monitor_scheduler_scan_interval_sec | integer ≥ 1 | 600 | Scan interval in seconds (default: 10 minutes) |
tip
600 seconds (10 minutes) is a good starting value. For large inventories or slow networks, the interval can be increased to avoid overloading the network.
Step 3 — Check Scheduler Status
curl -s \
-H "X-API-Key: <api-key>" \
https://<idial-host>:5000/systeminfo
{
"monitor_scheduler_status": "active",
"monitor_scheduler_active": true,
"monitor_scheduler_scan_interval_sec": 600
}
Summary
POST /gds/monitor/crt → Retrieve the certificate of a single device
POST /systeminfo → Activate/configure the monitoring scheduler
GET /systeminfo → Check scheduler status
Next Steps
- Manage Trust List — Read the trust list of a device
- Renew Certificate Manually — Trigger renewal after a monitoring finding
POST /gds/monitor/crt— API Reference
Troubleshooting
| Symptom | Possible Cause | Solution |
|---|---|---|
Response without url field | Device not in inventory | Register device or check server/port |
| Connection error | Device not reachable or wrong port | Check IP, port, and network connectivity |
fingerprint missing from response | fingerprint parameter not set | Include "fingerprint": "SHA1" in the request |
disable_crl_check required | CRL distribution point not reachable | Check network connectivity to the CRL distribution point |