Discover Certificates from AppViewX Native CA

Retrieves all SSL certificates issued by the AppViewX PKIaaS certificate authority, with optional filtering by date range, status, template, and issuer CA. Supports cursor-based pagination for large result sets.

Before you begin

Ensure the following before calling this endpoint:

Refer to Prerequisites in the PKI User Guide.
A valid AppViewX session ID, or login credentials (username and password).
Access to the AppViewX gateway (on-prem) or tenant (cloud).
Appropriate role permissions to discover certificates.

Request Structure


Endpoint:	v1/pki/certificate/discovery
Type:	POST
Sample URL:	`https://<IP/HostName/TenantName>:<GWPORT>/avxapi/v1/pki/certificate/discovery?gwsource=external` To understand the elements of the sample URL, click here.
Headers
Content-Type:	application/json

Table 1. Input Parameters
Name	Description
sessionId `Header`	(Mandatory) Session token returned by the login API. Type: String Constraint: Required if username and password are not provided.
username `Header`	(Mandatory) AppViewX login username. Type: String Constraint: Required if sessionId is not provided.
password `Header`	(Mandatory) AppViewX login password. Type: String Constraint: Required if sessionId is not provided.
Content-Type `Header`	(Mandatory) Specifies the nature of the data in the payload. Type: String Constraint: Value must be 'application/json'.
gwsource `Query`	(Mandatory) Source from which the request is triggered. Type: String
Payload `Body`	Contains all the parameters to be sent in the request body. All fields are optional — send an empty payload object (`{"payload": {}}`) to retrieve all certificates with default settings. Type: Payload

Request Body

Table 2. filters.vendorSpecificConditions
Name	Description
validFromDate	(Optional) Lower bound for certificate validity start date. Type: String Format: ISO-8601 UTC. Example: `2026-03-01T00:00:00Z`
validToDate	(Optional) Upper bound for certificate validity end date. Type: String Format: ISO-8601 UTC. Example: `2026-12-31T23:59:59Z`
certificateStatus	(Optional) Filter by certificate status. Comma-separated, case-sensitive. Type: String Allowed values: `ACTIVE`, `EXPIRED`, `REVOKED` Example: `ACTIVE,EXPIRED`
templateName	(Optional) Filter by certificate template name. Comma-separated. Type: String Example: `WebServer,OCSP Signing`
issuerCa	(Optional) Filter by issuing CA name. Comma-separated. Type: String Example: `rootCA,subCA`

Table 3. recursiveData (Pagination)
Name	Description
direction	(Optional) Pagination direction. Type: String Allowed values: `next` \| `prev`
sortField	(Optional) Field to sort results by. Type: String Allowed values: `_id` \| `validFromDate` \| `validToDate`
sortOrder	(Optional) Sort direction. Type: String Allowed values: `asc` \| `desc`
pageSize	(Optional) Number of records per page. Type: Integer Range: 1–1000
lastId	(Optional) Cursor ID for forward pagination (next page). 24-character Mongo ObjectId. Type: String Constraint: Must be paired with `lastSortValue`.
lastSortValue	(Optional) Sort value paired with `lastId`. Type: String ObjectId string if sorting by `_id`; ISO-8601 UTC if sorting by date. Example: `2026-03-18T08:57:23Z`
firstId	(Optional) Cursor ID for backward pagination (prev page). 24-character Mongo ObjectId. Type: String Constraint: Must be paired with `firstSortValue`.
firstSortValue	(Optional) Sort value paired with `firstId`. Type: String ObjectId string if sorting by `_id`; ISO-8601 UTC if sorting by date.

Response Structure

Response returns a string of type application/json with the following body parameters:

Table 4. Parameters
Name	Description
certificateContents[]	Array of certificate objects, each containing the PEM-encoded certificate (`certificateContent`) and its UUID (`uuid`).
certificateChains	Map of leaf certificate UUID to its chain — including root, intermediate(s), and end certificate metadata.
pageInfo.nextCursor	Cursor to pass in the next request to get the following page.
pageInfo.prevCursor	Cursor to pass in the next request to get the previous page.
pageInfo.hasNext	`true` if more records exist after this page.
pageInfo.hasPrevious	`true` if records exist before this page.
recursiveData	Echo of the pagination parameters used for this request.
message	Success or error message string. Type: String
appStatusCode	`null` on success. Contains an error code string on failure. Type: String

Status Codes


HTTP Code	appStatusCode	Response Message
200 OK	null	Certificates discovered successfully.
401 Unauthorized	AVX_GW_003	Authentication failed invalid credentials. Remediation: Provide a valid `sessionId` or username and password in the headers.
400 Bad Request	DISCOVERY_NULL_PAYLOAD	Request payload is null. Remediation: Send a non-null JSON payload object.
400 Bad Request	DISCOVERY_INVALID_PAYLOAD_FORMAT	Payload JSON structure is invalid. Remediation: Ensure the payload uses supported keys: `filters` and `recursiveData`.
400 Bad Request	DISCOVERY_UNSUPPORTED_PAYLOAD_ATTRIBUTE	Payload contains an unrecognised key. Remediation: Use only `filters` and `recursiveData` at the top level.
400 Bad Request	DISCOVERY_UNSUPPORTED_FILTER_ATTRIBUTE	Unsupported key inside `filters`. Remediation: Only `vendorSpecificConditions` is accepted under `filters`.
400 Bad Request	DISCOVERY_UNSUPPORTED_FILTER_KEY	Unsupported key inside `vendorSpecificConditions`. Remediation: Use only: `validFromDate`, `validToDate`, `certificateStatus`, `templateName`, `issuerCa`.
400 Bad Request	DISCOVERY_INVALID_DATE_ATTRIBUTE_FORMAT	Date value is not in ISO-8601 UTC format. Remediation: Use the format `2026-03-01T00:00:00Z`.
400 Bad Request	DISCOVERY_NEGATIVE_DATE	`validFromDate` or `validToDate` has a negative epoch value.
400 Bad Request	DISCOVERY_INVALID_DATE_VALUE	Date value cannot be converted to a valid epoch millisecond.
400 Bad Request	DISCOVERY_INVALID_DATE_RANGE	`validFromDate` is later than `validToDate`. Remediation: Ensure the start date is earlier than the end date.
400 Bad Request	DISCOVERY_INVALID_CERTIFICATE_STATUS_FILTER	`certificateStatus` contains an invalid value. Remediation: Use only `ACTIVE`, `EXPIRED`, or `REVOKED` (case-sensitive).
400 Bad Request	DISCOVERY_INVALID_TEMPLATE_NAME_FILTER	`templateName` filter contains an invalid value.
400 Bad Request	DISCOVERY_INVALID_ISSUER_CA_FILTER	`issuerCa` filter contains an invalid value.
400 Bad Request	DISCOVERY_INVALID_DIRECTION	`direction` value is invalid. Remediation: Use `next` or `prev`.
400 Bad Request	DISCOVERY_INVALID_SORT_ORDER	`sortOrder` value is invalid. Remediation: Use `asc` or `desc`.
400 Bad Request	DISCOVERY_INVALID_SORT_FIELD	`sortField` value is invalid. Remediation: Use `_id`, `validFromDate`, or `validToDate`.
400 Bad Request	DISCOVERY_INVALID_CURSOR_PAIR	Cursor ID and sort value not provided together. Remediation: Always pair `lastId` with `lastSortValue`, and `firstId` with `firstSortValue`.
400 Bad Request	DISCOVERY_INVALID_CURSOR_FORMAT	Cursor format does not match the selected `sortField`. Remediation: Use an ObjectId string for `_id`, or ISO-8601 UTC for date fields.
400 Bad Request	DISCOVERY_INVALID_PAGE_SIZE	`pageSize` is out of the allowed range. Remediation: Set `pageSize` to a value between 1 and 1000.

Sample Request/Response

Request Payload

{
  "payload": {
    "filters": {
      "vendorSpecificConditions": {
        "validFromDate": "2026-03-01T00:00:00Z",
        "validToDate": "2031-03-31T23:59:59Z",
        "certificateStatus": "ACTIVE,EXPIRED",
        "issuerCa": "rootCA,subCA",
        "templateName": "WebServer,OCSP Signing"
      }
    },
    "recursiveData": {
      "direction": "next",
      "sortField": "validFromDate",
      "sortOrder": "desc",
      "pageSize": 100,
      "lastId": "69ba6b4bdfdbaf47c622e1e2",
      "lastSortValue": "2026-03-18T08:57:23Z"
    }
  }
}

Response

{
  "response": {
    "certificateContents": [
      {
        "certificateContent": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
        "uuid": "leaf-uuid-1"
      },
      {
        "certificateContent": "-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----",
        "uuid": "leaf-uuid-2"
      }
    ],
    "certificateChains": {
      "leaf-uuid-1": {
        "rootCertificate": {
          "uuid": "ca-root-uuid",
          "certificateStatus": "ACTIVE",
          "templateName": "RootTemplate"
        },
        "intermediateCertificate-1": {
          "uuid": "ca-int-uuid",
          "certificateStatus": "ACTIVE",
          "templateName": "IntermediateTemplate"
        },
        "endCertificate": {
          "uuid": "leaf-uuid-1",
          "certificateStatus": "ACTIVE",
          "templateName": "WebServer"
        }
      }
    },
    "pageInfo": {
      "nextCursor": { "id": "69ba4c37...", "sortValue": "2026-03-17T22:31:27Z" },
      "prevCursor": { "id": "69ba4daa...", "sortValue": "2026-03-18T08:04:18Z" },
      "hasNext": true,
      "hasPrevious": false
    }
  },
  "message": null,
  "appStatusCode": null
}

References

Understanding the sample URL

IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
- IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication.
  The IP address will be included in the endpoint URL for an on-prem deployment.
- HostName: A human-readable label assigned to a device (host) on a network.
  The hostname will be included in the endpoint URL for an on-prem deployment.
- TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify.
  The tenant name will be included in the endpoint URL for a SaaS deployment.
GWPORT: AppViewX gateway port.
A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.
Example: 31443
avxapi: Path parameter value (static) that is part of the endpoint's URL.
Endpoint: Endpoint of the API, for example: execute-hook.
gwsource: Source or origin of a gateway, for example: external.