Certificate Monitoring
The monitoring endpoints establish a live connection to the target device and read certificate information, trust lists, and device metadata directly. Unlike the inventory, which returns cached data, each call builds an active OPC UA connection.
These endpoints establish a live connection to the target device. Ensure the target is reachable from the IDIAL container before calling them.
POST /gds/monitor/crt
Connects to a remote OPC UA server, reads its current application certificate, and stores the result in the inventory. Optionally returns the full X.509 text representation and a fingerprint.
Authentication: Required (X-API-Key header)
Request
curl -X POST http://localhost:5000/gds/monitor/crt \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"x509": false,
"fingerprint": "sha1",
"connection_security": false,
"disable_crl_check": false
}'
Request Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
server | string | Yes | — | IP address or DNS hostname of the OPC UA server. |
port | string | No | "4840" | OPC UA port number. |
x509 | boolean | No | false | Include human-readable X.509 certificate text in the response. |
fingerprint | string | No | — | Compute a fingerprint of the device certificate. Supported value: "sha1". |
connection_security | boolean | No | false | Enable secure connection mode for the OPC UA session. |
disable_crl_check | boolean | No | false | Skip CRL revocation check when connecting. |
Response 200
{
"url": "opc.tcp://192.168.1.10:4840",
"fingerprint": "A1:B2:C3:D4:E5:F6:78:90:12:34:56:78:90:AB:CD:EF:12:34:56:78",
"x509": "Certificate:\n Data:\n ...",
"security_policy": 8,
"security_mode": 2
}
Response Fields
| Field | Type | Description |
|---|---|---|
url | string | OPC UA connection URL. Present only when the device is in the inventory. |
fingerprint | string | Certificate fingerprint in colon-separated hex. Present only when fingerprint was specified in the request. |
x509 | string | Human-readable certificate details. Present only when x509: true was set. |
security_policy | integer | Negotiated OPC UA security policy bitmask. See reference-parameters. |
security_mode | integer | Negotiated OPC UA security mode. See reference-parameters. |
Response 500
{"error": "string"}
GET /gds/monitor/crt/{host_or_url}
Reads the certificate of a GDS inventory entry by host or URL. Equivalent to POST /gds/monitor/crt but uses GET semantics with credentials loaded from the inventory.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/monitor/crt/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
Response format matches POST /gds/monitor/crt.
Response 400
{"error": "string"}
POST /gds/inventory/crt
Returns certificate details for a GDS inventory entry identified by body parameters.
Authentication: Required (X-API-Key header)
This endpoint is deprecated. Use GET /gds/inventory/crt/{host_or_url} instead.
Request
curl -X POST http://localhost:5000/gds/inventory/crt \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"server": "192.168.1.10", "port": 4840}'
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
server | string | Yes | Hostname or IP address. |
port | integer (1–65535) | No | Port (default: 4840). |
Response 200
Response format matches GET /gds/inventory/crt/{host_or_url}.
GET /gds/inventory/crt/{host_or_url}
Returns parsed certificate details for a GDS inventory entry from cached inventory data. No live connection is made.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/inventory/crt/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
{
"name": "PLC Line 1",
"url": "opc.tcp://192.168.1.10:4840",
"device_status": 1,
"last_changed_certificate_date": "2026-01-15",
"certificate": {
"sha1_thumbprint": "A1:B2:C3:...",
"subject_dn": "CN=plc-line1,O=ExampleCorp,C=DE",
"issuer_dn": "CN=Issuing CA,O=ExampleCorp,C=DE",
"valid_from": "2026-01-01T00:00:00",
"valid_to": "2027-01-01T00:00:00",
"remaining_days": 241,
"self_signed": false,
"key_type": "RSA",
"public_key_size": 2048
},
"certificate_revocation": {
"id": 1,
"name": "not_revoked",
"description": "certificate was checked against a CRL and is not revoked",
"is_revoked": false
},
"certificate_revocation_reason": null
}
Response Fields
| Field | Type | Description |
|---|---|---|
name | string | null | Device display name. |
url | string | OPC UA connection URL. |
device_status | integer | null | Device status value. |
last_changed_certificate_date | string | null | Date of last certificate change. |
certificate | object | Parsed certificate details (see below). |
certificate_revocation | object | CRL revocation status. |
certificate_revocation_reason | object | null | Revocation reason if revoked. |
certificate object fields:
| Field | Type | Description |
|---|---|---|
sha1_thumbprint | string | null | SHA-1 thumbprint (colon-separated hex). |
sha256_spki | string | null | SHA-256 SPKI fingerprint. |
subject_dn | string | null | Subject distinguished name. |
subject_cn | string | null | Subject common name. |
issuer_dn | string | null | Issuer distinguished name. |
serial_number | string | null | Serial number (hex). |
valid_from | string | null | Validity start (ISO 8601). |
valid_to | string | null | Validity end (ISO 8601). |
remaining_days | integer | null | Days until expiry. |
self_signed | boolean | Whether the certificate is self-signed. |
key_type | string | null | Key algorithm (e.g. "RSA"). |
public_key_size | integer | null | Key size in bits. |
key_usage | string[] | Key usage extensions. |
extended_key_usage | string[] | Extended key usage. |
san | object | Subject Alternative Names grouped by type. |
cdp | string[] | CRL Distribution Point URIs. |
GET /gds/monitor/plc/{host_or_url}
Reads PLC-specific metadata (e.g. module info, firmware) from an OPC UA endpoint via a live connection.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/monitor/plc/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
{
"url": "opc.tcp://192.168.1.10:4840",
"plc_info": {}
}
GET /gds/monitor/firmware/{host_or_url}
Reads firmware version information from a GDS inventory entry.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/monitor/firmware/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
{
"url": "opc.tcp://192.168.1.10:4840",
"firmware_version": "V03.01.03",
"device_name": "SIMATIC S7-1500 OPC UA"
}
GET /gds/monitor/status/{host_or_url}
Reads the operational status of a GDS inventory entry via a live OPC UA connection.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/monitor/status/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
{
"url": "opc.tcp://192.168.1.10:4840",
"status": "run"
}
POST /gds/monitor/trustlist
Reads the trust list from a remote OPC UA server and stores it in the inventory. The trustlist bitmask controls which components are read.
Authentication: Required (X-API-Key header)
Request
curl -X POST http://localhost:5000/gds/monitor/trustlist \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{
"server": "192.168.1.10",
"port": 4840,
"trustlist": 15,
"username": "admin",
"password": "secret"
}'
Request Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
server | string | Yes | — | Hostname or IP of the target device. |
port | integer (1–65535) | No | 4840 | OPC UA port. |
trustlist | integer | No | 15 | Bitmask controlling which trust list components to read. See reference-parameters. |
username | string | No | — | Username for authentication. |
password | string | No | — | Password for authentication. |
security_policy | integer | No | — | Security policy bitmask. |
security_mode | integer | No | — | Security mode bitmask. |
Response 200
{
"success": true,
"execution": "ok",
"error": "",
"result": null
}
GET /gds/monitor/trustlist/{host_or_url}
Returns the cached trust list for a GDS inventory entry.
Authentication: Required (X-API-Key header)
Request
curl -X GET http://localhost:5000/gds/monitor/trustlist/192.168.1.10 \
-H "X-API-Key: your-api-key"
Response 200
Response format matches GET /gds/inventory/trustlist, for a single entry.
DELETE /gds/monitor/trustlist
Deletes the stored trust list for all GDS inventory entries.
Authentication: Required (X-API-Key header)
Request
curl -X DELETE http://localhost:5000/gds/monitor/trustlist \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"trustlist": 15}'
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
trustlist | integer | No | Bitmask of trust list components to delete (default: 15 = all). |
Response 200
{"success": true, "execution": "ok", "error": "", "result": null}
DELETE /gds/monitor/trustlist/{host_or_url}
Deletes the stored trust list for a single GDS inventory entry.
Authentication: Required (X-API-Key header)
Request
curl -X DELETE http://localhost:5000/gds/monitor/trustlist/192.168.1.10 \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json" \
-d '{"trustlist": 15}'
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
trustlist | integer | No | Bitmask of trust list components to delete (default: 15 = all). |
Response 200
{"success": true, "execution": "ok", "error": "", "result": null}
Response 404
{"error": "string"}