Sterfive GDS

OPC UA Global Discovery Server, productised.

Automate the entire X.509 certificate lifecycle across your OPC UA fleet β€” issuance, renewal, trust list distribution and revocation β€” in both PULL and PUSH modes. Docker-native, pluggable CA, built on node-opcua by the team that maintains it.

Request a QuoteSee the Stack
Sterfive GDS β€” OPC UA Global Discovery Server

White paper

When Security Matters β€” Certificate Management in OPC UA

A practical guide to the GDS, PULL & PUSH modes, and why the Part 12 standard is the only sustainable answer at industrial scale.

From the maintainers of node-opcua

Part 12 of the OPC UA spec, finally turned into a product.

"The Global Discovery Server is the most under-deployed part of the OPC UA standard. Everyone agrees that hand-managing certificates across hundreds of PLCs is broken β€” and yet GDS adoption has been blocked for years by the lack of a production-ready, pluggable, container-native implementation. We built Sterfive GDS to close that gap, on top of the same node-opcua stack we maintain upstream. One vendor, one accountable contact, one container β€” and the certificate-expiry-at-2-a.m. era is over."

Etienne Rossignon β€” Creator of NodeOPCUA & CEO of Sterfive

What Sterfive GDS does

Capabilities that retire the certificate-by-hand era

Sterfive GDS centralises every step of the X.509 lifecycle for an entire OPC UA realm β€” and exposes it through a standards-compliant Part 12 endpoint that any conformant OPC UA stack can drive.

End-to-End Certificate Lifecycle

Issue, renew, revoke β€” automatically

Every registered OPC UA application gets its certificate issued, renewed before expiry, and revoked when needed β€” driven by the GDS, signed by the CA backend of your choice. Trust lists and CRLs propagate to the entire fleet automatically. The 2 a.m. BadCertificateTimeInvalid outage becomes a story you tell new hires, not a recurring incident.

PULL and PUSH, both standard

Cover every network topology

PULL lets applications fetch their own certificates when they can reach the GDS β€” ideal for clients, cloud-connected servers and dev environments. PUSH lets the GDS connect into firewalled OT devices and rotate their certificates remotely β€” the only practical model for production PLCs and embedded servers that can't initiate outbound traffic. Sterfive GDS implements both modes simultaneously, in the same instance.

Pluggable CA β€” no PKI lock-in

Built-in CA, Step-CA, Vault, ADCS, EJBCA

Drop in the CA backend your organisation already runs: Step-CA, HashiCorp Vault PKI, Microsoft ADCS, EJBCA, or the included built-in CA for zero-config deployments. Switching backends is a single environment variable β€” no code changes, no recertification effort. Cloud HSM integration (Google Cloud HSM, OVH KMS) is on the roadmap for FIPS 140-2 Level 3 Root CA key protection.

Regulatory alignment, by design

IEC 62443 Β· NIS2 Β· NERC CIP

Centralised PKI governance, full audit trail of every certificate operation, and the operational practicality to enforce short certificate validity (90 days or less) β€” the three pillars regulators now demand. Sterfive GDS turns "certificate hygiene" from a compliance burden into a built-in default.

Where Sterfive GDS is needed most

Industries where one missed renewal is one outage too many

Anywhere OPC UA security is taken seriously, the GDS is the missing piece. These are the verticals where Sterfive GDS replaces the spreadsheet of expiry dates with a self-driving PKI.

Smart Factories & Discrete Manufacturing

Hundreds of PLCs, one PKI

Modern plants run dozens to hundreds of OPC UA endpoints β€” PLCs, robots, vision systems, edge gateways. Sterfive GDS onboards every device with a signed certificate, rotates them ahead of expiry via PUSH, and keeps the trust list synchronised β€” so adding a new asset is a registration, not a fleet-wide trust-store update.

Critical Infrastructure & Defence

IEC 62443, NIS2, air-gapped sites

Energy, water, defence, transport β€” every regulated operator now faces explicit certificate-hygiene mandates. Sterfive GDS provides the centralised CA, the audit trail and the short-lifetime rotation that auditors expect. It runs perfectly on air-gapped networks, with the built-in CA and persistent volume β€” no internet, no cloud dependency.

Energy & Utilities

DERs, substations, generation fleets

Renewable assets, substations and DERs increasingly speak OPC UA, often through aggregating gateways. A central Sterfive GDS at the operator's NOC issues and rotates certificates across the whole fleet β€” including remote, low-bandwidth sites β€” making cyber-secure DER integration administratively realistic.

Multi-Vendor Production Facilities

Hundreds of heterogeneous OPC UA servers, one unified trust fabric

Real factories don't run one vendor's stack β€” they run dozens. Siemens, Beckhoff, Rockwell, B&R, Schneider, Bosch Rexroth, in-house servers, third-party gateways, embedded vendor OPC UA endpoints in vision systems, drives, and analysers. Each ships with its own certificate model, its own self-signed defaults, and its own management console. At a few dozen endpoints, this becomes unmanageable; at a few hundred, it stops working entirely. Sterfive GDS gives every vendor's OPC UA server the same Part 12 onboarding path, the same trust list, the same audit trail, and the same rotation policy β€” a single unified technique to make a heterogeneous estate securely accessible from SCADA, MES and cloud.

Why Sterfive GDS

The GDS the OPC UA ecosystem has been waiting for

Production-ready, container-native, regulatory-aligned, and built by the team that authors the underlying OPC UA stack. Eight things that make Sterfive GDS different.

OPC UA Part 12 conformance

A faithful implementation of the OPC UA Global Discovery Server specification β€” interoperable with any conformant OPC UA stack, on any vendor's PLC or SCADA.

PULL and PUSH out of the box

Both operation modes are first-class. PULL for apps that can reach the GDS; PUSH for firewalled OT devices the GDS must reach. The same instance handles both, concurrently.

Built-in CA, zero-config

Operational in five minutes with the included CA β€” no Step-CA, no Vault, no ADCS required to get started. Production-ready, not a toy.

Pluggable enterprise PKI

One environment variable swaps the CA backend to Step-CA, HashiCorp Vault, Microsoft ADCS or EJBCA. No code changes, no lock-in. Cloud HSM is on the roadmap.

Docker-native deployment

Container image, Docker Compose bundle and Kubernetes-ready. Persistent volumes for the PKI store, predictable for backup, GitOps and disaster recovery.

Admin Web UI

Browse registered applications, approve or refuse CSRs, push trust lists, revoke certificates, export the audit log β€” all from an HTTPS console, with role-based access.

Short-lived certificates, practical

90-day (or 30-day) certificate validity becomes operationally realistic when rotation is automatic. Less exposure window, less manual effort β€” better security with less work.

Backed by the node-opcua team

Direct access to the maintainers of node-opcua β€” the OPC UA stack underneath β€” included in every paid tier. One vendor, one accountable contact, no dependency chain.

One container docker-compose.yml

From zero to a running OPC UA CA in 60 seconds

Choose your CA backend with a single environment variable. Run the container. Point your OPC UA applications at the GDS endpoint. The realm onboards itself.

  • OPC UA Part 12 conformant
  • PULL & PUSH on the same instance
  • Built-in Β· Step-CA Β· Vault Β· ADCS Β· EJBCA
  • Persistent volume β€” backup-friendly PKI
Request a DemoTalk to Sterfive
Docker Β· Compose Β· KubernetesSQLite or PostgreSQLOnline or offline licensing
docker-compose.yml
services:
sterfive-gds:
  image: sterfive/gds-server:latest
  ports:
    - "4840:4840"   # OPC UA endpoint (Part 12)
    - "8443:8443"   # Admin HTTPS UI
  volumes:
    - gds-data:/data/gds
  environment:
    GDS_CA_BACKEND:         builtin       # or: step-ca | vault | adcs | ejbca
    GDS_CERT_VALIDITY_DAYS: 90
    GDS_SERVER_CERT_MODE:   ca-signed     # or: self-signed (TOFU)
    GDS_ADMIN_PASSWORD:     changeme
  restart: unless-stopped

volumes:
gds-data:

Pluggable CA. Persistent volume. Production-ready in five minutes.

Getting Started

Four steps from container to a self-driving PKI

1Pull the Docker image

docker compose up -d with the Sterfive GDS image β€” the OPC UA endpoint comes up on opc.tcp://host:4840 and the admin UI on https://host:8443.

2Pick a CA backend

Stay on the built-in CA for a zero-config start, or set GDS_CA_BACKEND to step-ca, vault, adcs or ejbca to plug into your existing enterprise PKI.

3Register your applications

Each OPC UA application calls RegisterApplication on first start (PULL) or is registered via the admin UI (PUSH). The GDS issues a signed certificate from your chosen CA.

4Let the GDS run the lifecycle

Renewals happen ahead of expiry. Trust lists propagate. Revocations land in the CRL within minutes. Operators approve exceptions from the admin UI β€” and nothing else.

Early-access programme

Become a beta tester for Sterfive GDS

You've read this far β€” you're exactly who we'd like to talk to. Join the early-access programme to get hands-on with Sterfive GDS, exchange directly with the engineering team, and help shape the next release.

Ready to retire the certificate spreadsheet?

Make 90-day certificate rotation a non-event

Request a quote, ask for an evaluation licence, or talk directly to the engineers who maintain node-opcua. Direct maintainer access is included in every paid tier β€” a benefit unique to buying from the team that authors the underlying OPC UA stack.

One container. One Part 12 endpoint. One audit trail. Replace bespoke certificate scripts and expiry calendars with a standards-compliant Global Discovery Server β€” backed by the authors of the underlying OPC UA stack.

Request a QuoteTalk to Sterfive
Sterfive GDS β€” OPC UA Global Discovery Server | Sterfive