Download certificates
This section describes how to use the API to download a completed batch job.
When the status of a batch job is COMPLETE, you can download the issued certificates and private keys. To do this, submit a GET request to the following API endpoint:
{{base_url}}/iot/api/v1/batch-enroll/{{job_id}}/download-certificates
Tip
For detailed information about this endpoint, see the API reference: Download certificates.
In the request URL:
Replace
base_urlwith the base URL of your DigiCert ONE instance (for example,https://one.digicert.com).Replace
{{job_id}}with the batch job ID returned when you created the batch job.
Response format
When you download certificates for a batch job, the response format depends on two factors:
Keypair generation method (client-side or server-side)
Certificate format (JSON, PEM, or DER)
Client-side keypair generation
PEM/DER
If the
certificate_formatisPEMorDER, theContent-Typeheader in the API response isapplication/zip. The download is a compressed ZIP file with the issued certificates.JSON
If the
certificate_formatisJSON, theContent-Typeheader in the API response isapplication/json. The JSON response contains a list of certificate objects with the issued certificates. See Example response (JSON format).
Server-side keypair generation
PEM/DER
If the
certificate_formatisPEMorDER, theContent-Typeheader in the API response isapplication/pkcs7-mimeif you provided a certificate to encrypt the results orapplication/pgp-encryptedif you used a PGP public key.To access the certificates and private keys, you must decrypt the returned file. For example:
JSON
If the
certificate_formatisJSON, the response has aContent-Typeheader ofapplication/json. The JSON response contains a list of certificate objects with the issued certificates and encrypted private keys. See Example response (JSON format).
Example response (JSON format)
This example shows the response when you download certificates for a batch enrollment job. For this example:
The
certificate_formatisJSON.The batch job uses server-side keypair generation, so the response includes both the issued certificates and the encryped private keys.
Note
If a batch job uses client-side keypair generation, private keys are not included when you download the certificates.
{
"job_id": "e6006353-ba03-4909-afc8-c611f00d7644",
"chain": [
{
"cert_type": "intermediate",
"blob": "MIID5DCCAsy...N/mqQ==",
"common_name": "ICA RSA"
},
{
"cert_type": "root",
"blob": "MIIDxDC...fL+7bk=",
"common_name": "RSA Root"
}
],
"certificates": [
{
"id": "60f0f385-9afa-464b-9811-d337245c4363",
"unique_identifier": "Line #0000001",
"body": "-----BEGIN CERTIFICATE-----\nMIID...K8FhP\n-----END CERTIFICATE-----\n",
"private_key": "MIAGCSq...tLQo="
},
{
"id": "9766ee7c-62d5-47f4-b4cf-475409c62eea",
"unique_identifier": "Line #0000002",
"body": "-----BEGIN CERTIFICATE-----\nMIID...3KFxa\n-----END CERTIFICATE-----\n",
"private_key": "MIAGCSq...LQo="
}
]
}JSON response parameters
Name | Type | Description |
|---|---|---|
job_id | string | Batch job ID. |
chain | array of objects | List of objects with details about each certificate in the issuing chain for the batch job. Each certificate in the |
.. cert_type | string | Certificate type ( |
.. blob | string | Certificate body. |
.. common_name | string | Certificate common name. |
certificates | array of objects | List of certificates and encrypted private keys. |
.. id | string | Certificate ID. |
.. unique_identifier | string | Certificate unique identifier. |
.. body | string | End-entity certificate in PEM format. |
.. private_key | string | For batch jobs using server-side keypair generation, returns the encrypted private key. Omitted for batch jobs using client-side keypair generation. |