Skip to main content

Start the batch job

This section includes instructions and examples to help you format your API request to start a batch enrollment job in DigiCert​​®​​ IoT Trust Manager.

Before you begin, make sure to prepare your enrollment data according to the requirements of the keypair generation method you want to use. Then, to start the batch job, submit a POST request to the API endpoint associated with your chosen keypair generation method.

Get example API requests from DigiCert​​®​​ IoT Trust Manager

You can copy example cURL requests that show the syntax for creating batch jobs with an enrollment profile from your DigiCert​​®​​ IoT Trust Manager account:

  1. Sign in to DigiCert ONE.

  2. In DigiCert​​®​​ IoT Trust Manager, open the enrollment profile details page for the enrollment profile you are using for your batch job.

  3. In the API section, under Batch certificate requests, select your keypair generation method.

  4. Copy the cURL example to your clipboard.

Request parameters

This section describes some of the parameters used in requests to start a batch job. The endpoint path, request body structure, and required parameters vary depending on your chosen keypair generation method. For example payloads for each method, visit the sections below:

Tip

For a complete list of request parameters and their meanings, see the API reference: Batch enrollment jobs.

Name

Req/Opt

Type

Description

certificate_format

required

string

File format of certificate output.

Allowed values:

  • pem: Certificates will be delivered in PEM format.

  • der: Certificates will be delivered in DER format.

  • json: Response will be provided in JSON format.

  • smpb: Response will be provided in MPKI-8 compatible format.

include_full_chain_with_each_certificate

optional

bool

If true, the batch job delivers the issuing intermediate and root CA certificates for each end-entity certificate. If false, the batch job delivers only the end-entity certificates.

include_intermediates_with_each_certificate

optional

bool

If true, the batch job delivers the issuing intermediate CA certificates for each end-entity certificate. If false, the batch job delivers only the end-entity certificates.

report_format

optional

string

Batch job report format.

Allowed values:

  • csv

  • json

private_key_format

optional

string

For batch jobs using server-side keypair generation, the format of the returned private keys.

  • pem: Returns the private keys in PEM format.

  • der: Returns the private keys in DER format.

private_key_syntax

optional

string

For batch jobs using server-side keypair generation, the syntax of the returned private keys.

  • pkcs8: PKCS8

  • sec1_or_pkcs1: SEC1 (for ECDSA keys) or PKCS1 (for RSA keys).

Client-side keypair generation

To create a batch enrollment job using client-side keypair generation, submit a POST request to the following API endpoint:

{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll

Format your request as follows:

  • In the request URL:

    • Replace {{base_url}} with the base URL for your instance of DigiCert ONE (for example, https://one.digicert.com).

    • Replace {{enrollment_profile_id}} with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).

  • Set the value of the Content-Type header to multipart/form-data.

  • Include authentication credentials for your chosen authentication method.

    • API token

      Include the custom header x-api-key with the API token belonging to the user or service user creating the batch job.

    • Passcode

      Include the custom header passcode containing a valid passcode for authenticating to the enrollment profile.

    • Authentication certificate

      In the request URL, prefix the hostname with clientauth (for example, https://clientauth.one.digicert.com). Present a trusted authentication certificate when you submit your request.

  • In the request body, provide your enrollment data. See enrollment data requirements for client-side keypair generation.

A successful request returns a response status code of 200 OK. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.

Example requests and responses

Server-side keypair generation: CSV

To use a CSV file to create a batch enrollment job using server-side keypair generation, submit a POST request to the following API endpoint:

{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll-key-gen

Format your request as follows:

  • In the request URL:

    • Replace {{base_url}} with the base URL for your instance of DigiCert ONE (for example, https://one.digicert.com).

    • Replace {{enrollment_profile_id}} with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).

  • Set the value of the Content-Type header to multipart/form-data.

  • Include authentication credentials for your chosen authentication method.

    • API token

      Include the custom header x-api-key with the API token belonging to the user or service user creating the batch job.

    • Passcode

      Include the custom header passcode containing a valid passcode for authenticating to the enrollment profile.

    • Authentication certificate

      In the request URL, prefix the hostname with clientauth (for example, https://clientauth.one.digicert.com). Present a trusted authentication certificate when you submit your request.

  • In the request body, provide your enrollment data and a certificate or PGP public key to encrypt the issued certificates. See CSV requirements for server-side keypair generation.

A successful request returns a response status code of 200 OK. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.

Example requests and responses

Server-side keypair generation: MAC addresses

To use MAC addresses to create a batch enrollment job using server-side keypair generation, submit a POST request to the following API endpoint:

{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll-key-gen-mac

Format your request as follows:

  • In the request URL:

    • Replace {{base_url}} with the base URL for your instance of DigiCert ONE (for example, https://one.digicert.com).

    • Replace {{enrollment_profile_id}} with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).

  • Set the value of the Content-Type header to multipart/form-data.

  • Include authentication credentials for your chosen authentication method.

    • API token

      Include the custom header x-api-key with the API token belonging to the user or service user creating the batch job.

    • Passcode

      Include the custom header passcode containing a valid passcode for authenticating to the enrollment profile.

    • Authentication certificate

      In the request URL, prefix the hostname with clientauth (for example, https://clientauth.one.digicert.com). Present a trusted authentication certificate when you submit your request.

  • In the request body, provide your enrollment data and a certificate or PGP public key to encrypt the issued certificates. See MAC address requirements for server-side keypair generation.

A successful request returns a response status code of 200 OK. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.

Example requests and responses

Check batch job status

DigiCert​​®​​ IoT Trust Manager processes batch jobs in the order they are received. After submitting a request to start a batch job, you can track its progress by using the API to poll batch job status.

To get the status of a batch job, submit a GET request to the following endpoint:

{{base_url}}/iot/api/v1/batch-enroll/{{job_id}}

Tip

For detailed information about this endpoint, see the API reference: Batch job details.

In the request URL:

  • Replace base_url with the base URL of your DigiCert ONE instance (for example, https://one.digicert.com).

  • Replace {{job_id}} with the batch job ID returned when you created the batch job.

This endpoint returns a status field with the current batch job status.

  • Jobs that are PENDING_APPROVAL must be approved before DigiCert​​®​​ IoT Trust Manager processes the enrollments.

  • Jobs that are IN_PROGRESS are currently processing.

  • Jobs that are COMPLETE are ready to download.

Example request and response

What's next?

After you submit a request to start a batch enrollment job, the next step depends on whether the enrollment profile requires certificate approvals.

When approvals are required

If the enrollment profile requires certificate approvals, a user with the right permissions must approve the batch job before DigiCert​​®​​ IoT Trust Manager processes the enrollments in your request.

After receiving your request to start a batch job, DigiCert​​®​​ IoT Trust Manager sends notifications to the approvers listed in the enrollment profile's configuration. To approve or reject the batch job, approvers can follow the instructions in the approval notification. Alternatively, if you want to manage approvals using the API, see manage batch job approvals.

When requests are auto-approved

If the enrollment profile auto-approves certificate requests, DigiCert​​®​​ IoT Trust Manager immediately approves the job and queues it for processing. When processing begins, the status of the batch job changes from APPROVED to IN_PROGRESS. When the batch job status is COMPLETE, you can download the certificates.

In this section: