Skip to main content

Certificate Monitoring

The monitoring endpoints establish a live connection to the target device and read certificate information, trust lists, and device metadata directly. Unlike the inventory, which returns cached data, each call builds an active OPC UA connection.

note

These endpoints establish a live connection to the target device. Ensure the target is reachable from the IDIAL container before calling them.

POST /gds/monitor/crt

Connects to a remote OPC UA server, reads its current application certificate, and stores the result in the inventory. Optionally returns the full X.509 text representation and a fingerprint.

Authentication: Required (X-API-Key header)

Request

curl -X POST http://localhost:5000/gds/monitor/crt \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"x509": false,
"fingerprint": "sha1",
"connection_security": false,
"disable_crl_check": false
}'

Request Fields

FieldTypeRequiredDefaultDescription
serverstringYesIP address or DNS hostname of the OPC UA server.
portstringNo"4840"OPC UA port number.
x509booleanNofalseInclude human-readable X.509 certificate text in the response.
fingerprintstringNoCompute a fingerprint of the device certificate. Supported value: "sha1".
connection_securitybooleanNofalseEnable secure connection mode for the OPC UA session.
disable_crl_checkbooleanNofalseSkip CRL revocation check when connecting.

Response 200

{
"url": "opc.tcp://192.168.1.10:4840",
"fingerprint": "A1:B2:C3:D4:E5:F6:78:90:12:34:56:78:90:AB:CD:EF:12:34:56:78",
"x509": "Certificate:\n Data:\n ...",
"security_policy": 8,
"security_mode": 2
}

Response Fields

FieldTypeDescription
urlstringOPC UA connection URL. Present only when the device is in the inventory.
fingerprintstringCertificate fingerprint in colon-separated hex. Present only when fingerprint was specified in the request.
x509stringHuman-readable certificate details. Present only when x509: true was set.
security_policyintegerNegotiated OPC UA security policy bitmask. See reference-parameters.
security_modeintegerNegotiated OPC UA security mode. See reference-parameters.

Response 500

{"error": "string"}

GET /gds/monitor/crt/{host_or_url}

Reads the certificate of a GDS inventory entry by host or URL. Equivalent to POST /gds/monitor/crt but uses GET semantics with credentials loaded from the inventory.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/monitor/crt/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

Response format matches POST /gds/monitor/crt.

Response 400

{"error": "string"}

POST /gds/inventory/crt

Returns certificate details for a GDS inventory entry identified by body parameters.

Authentication: Required (X-API-Key header)

note

This endpoint is deprecated. Use GET /gds/inventory/crt/{host_or_url} instead.

Request

curl -X POST http://localhost:5000/gds/inventory/crt \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"server": "192.168.1.10", "port": 4840}'

Request Fields

FieldTypeRequiredDescription
serverstringYesHostname or IP address.
portinteger (1–65535)NoPort (default: 4840).

Response 200

Response format matches GET /gds/inventory/crt/{host_or_url}.


GET /gds/inventory/crt/{host_or_url}

Returns parsed certificate details for a GDS inventory entry from cached inventory data. No live connection is made.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/inventory/crt/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

{
"name": "PLC Line 1",
"url": "opc.tcp://192.168.1.10:4840",
"device_status": 1,
"last_changed_certificate_date": "2026-01-15",
"certificate": {
"sha1_thumbprint": "A1:B2:C3:...",
"subject_dn": "CN=plc-line1,O=ExampleCorp,C=DE",
"issuer_dn": "CN=Issuing CA,O=ExampleCorp,C=DE",
"valid_from": "2026-01-01T00:00:00",
"valid_to": "2027-01-01T00:00:00",
"remaining_days": 241,
"self_signed": false,
"key_type": "RSA",
"public_key_size": 2048
},
"certificate_revocation": {
"id": 1,
"name": "not_revoked",
"description": "certificate was checked against a CRL and is not revoked",
"is_revoked": false
},
"certificate_revocation_reason": null
}

Response Fields

FieldTypeDescription
namestring | nullDevice display name.
urlstringOPC UA connection URL.
device_statusinteger | nullDevice status value.
last_changed_certificate_datestring | nullDate of last certificate change.
certificateobjectParsed certificate details (see below).
certificate_revocationobjectCRL revocation status.
certificate_revocation_reasonobject | nullRevocation reason if revoked.

certificate object fields:

FieldTypeDescription
sha1_thumbprintstring | nullSHA-1 thumbprint (colon-separated hex).
sha256_spkistring | nullSHA-256 SPKI fingerprint.
subject_dnstring | nullSubject distinguished name.
subject_cnstring | nullSubject common name.
issuer_dnstring | nullIssuer distinguished name.
serial_numberstring | nullSerial number (hex).
valid_fromstring | nullValidity start (ISO 8601).
valid_tostring | nullValidity end (ISO 8601).
remaining_daysinteger | nullDays until expiry.
self_signedbooleanWhether the certificate is self-signed.
key_typestring | nullKey algorithm (e.g. "RSA").
public_key_sizeinteger | nullKey size in bits.
key_usagestring[]Key usage extensions.
extended_key_usagestring[]Extended key usage.
sanobjectSubject Alternative Names grouped by type.
cdpstring[]CRL Distribution Point URIs.

GET /gds/monitor/plc/{host_or_url}

Reads PLC-specific metadata (e.g. module info, firmware) from an OPC UA endpoint via a live connection.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/monitor/plc/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

{
"url": "opc.tcp://192.168.1.10:4840",
"plc_info": {}
}

GET /gds/monitor/firmware/{host_or_url}

Reads firmware version information from a GDS inventory entry.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/monitor/firmware/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

{
"url": "opc.tcp://192.168.1.10:4840",
"firmware_version": "V03.01.03",
"device_name": "SIMATIC S7-1500 OPC UA"
}

GET /gds/monitor/status/{host_or_url}

Reads the operational status of a GDS inventory entry via a live OPC UA connection.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/monitor/status/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

{
"url": "opc.tcp://192.168.1.10:4840",
"status": "run"
}

POST /gds/monitor/trustlist

Reads the trust list from a remote OPC UA server and stores it in the inventory. The trustlist bitmask controls which components are read.

Authentication: Required (X-API-Key header)

Request

curl -X POST http://localhost:5000/gds/monitor/trustlist \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"trustlist": 15,
"username": "admin",
"password": "secret"
}'

Request Fields

FieldTypeRequiredDefaultDescription
serverstringYesHostname or IP of the target device.
portinteger (1–65535)No4840OPC UA port.
trustlistintegerNo15Bitmask controlling which trust list components to read. See reference-parameters.
usernamestringNoUsername for authentication.
passwordstringNoPassword for authentication.
security_policyintegerNoSecurity policy bitmask.
security_modeintegerNoSecurity mode bitmask.

Response 200

{
"success": true,
"execution": "ok",
"error": "",
"result": null
}

GET /gds/monitor/trustlist/{host_or_url}

Returns the cached trust list for a GDS inventory entry.

Authentication: Required (X-API-Key header)

Request

curl -X GET http://localhost:5000/gds/monitor/trustlist/192.168.1.10 \
-H "X-API-Key: your-api-key"

Response 200

Response format matches GET /gds/inventory/trustlist, for a single entry.


DELETE /gds/monitor/trustlist

Deletes the stored trust list for all GDS inventory entries.

Authentication: Required (X-API-Key header)

Request

curl -X DELETE http://localhost:5000/gds/monitor/trustlist \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"trustlist": 15}'

Request Fields

FieldTypeRequiredDescription
trustlistintegerNoBitmask of trust list components to delete (default: 15 = all).

Response 200

{"success": true, "execution": "ok", "error": "", "result": null}

DELETE /gds/monitor/trustlist/{host_or_url}

Deletes the stored trust list for a single GDS inventory entry.

Authentication: Required (X-API-Key header)

Request

curl -X DELETE http://localhost:5000/gds/monitor/trustlist/192.168.1.10 \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"trustlist": 15}'

Request Fields

FieldTypeRequiredDescription
trustlistintegerNoBitmask of trust list components to delete (default: 15 = all).

Response 200

{"success": true, "execution": "ok", "error": "", "result": null}

Response 404

{"error": "string"}