Start the batch job
This section includes instructions and examples to help you format your API request to start a batch enrollment job in DigiCert® IoT Trust Manager.
Before you begin, make sure to prepare your enrollment data according to the requirements of the keypair generation method you want to use. Then, to start the batch job, submit a POST request to the API endpoint associated with your chosen keypair generation method.
Get example API requests from DigiCert® IoT Trust Manager
You can copy example cURL requests that show the syntax for creating batch jobs with an enrollment profile from your DigiCert® IoT Trust Manager account:
Sign in to DigiCert ONE.
In DigiCert® IoT Trust Manager, open the enrollment profile details page for the enrollment profile you are using for your batch job.
In the API section, under Batch certificate requests, select your keypair generation method.
Copy the cURL example to your clipboard.
Request parameters
This section describes some of the parameters used in requests to start a batch job. The endpoint path, request body structure, and required parameters vary depending on your chosen keypair generation method. For example payloads for each method, visit the sections below:
Tip
For a complete list of request parameters and their meanings, see the API reference: Batch enrollment jobs.
Name | Req/Opt | Type | Description |
---|---|---|---|
| required | string | File format of certificate output. Allowed values:
|
| optional | bool | If |
| optional | bool | If |
| optional | string | Batch job report format. Allowed values:
|
| optional | string | For batch jobs using server-side keypair generation, the format of the returned private keys.
|
| optional | string | For batch jobs using server-side keypair generation, the syntax of the returned private keys.
|
Client-side keypair generation
To create a batch enrollment job using client-side keypair generation, submit a POST request to the following API endpoint:
{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll
Format your request as follows:
In the request URL:
Replace
{{base_url}}
with the base URL for your instance of DigiCert ONE (for example,https://one.digicert.com
).Replace
{{enrollment_profile_id}}
with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).
Set the value of the
Content-Type
header tomultipart/form-data
.Include authentication credentials for your chosen authentication method.
API token
Include the custom header
x-api-key
with the API token belonging to the user or service user creating the batch job.Passcode
Include the custom header
passcode
containing a valid passcode for authenticating to the enrollment profile.Authentication certificate
In the request URL, prefix the hostname with
clientauth
(for example,https://clientauth.one.digicert.com
). Present a trusted authentication certificate when you submit your request.
In the request body, provide your enrollment data. See enrollment data requirements for client-side keypair generation.
A successful request returns a response status code of 200 OK
. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.
Example requests and responses
Server-side keypair generation: CSV
To use a CSV file to create a batch enrollment job using server-side keypair generation, submit a POST request to the following API endpoint:
{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll-key-gen
Format your request as follows:
In the request URL:
Replace
{{base_url}}
with the base URL for your instance of DigiCert ONE (for example,https://one.digicert.com
).Replace
{{enrollment_profile_id}}
with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).
Set the value of the
Content-Type
header tomultipart/form-data
.Include authentication credentials for your chosen authentication method.
API token
Include the custom header
x-api-key
with the API token belonging to the user or service user creating the batch job.Passcode
Include the custom header
passcode
containing a valid passcode for authenticating to the enrollment profile.Authentication certificate
In the request URL, prefix the hostname with
clientauth
(for example,https://clientauth.one.digicert.com
). Present a trusted authentication certificate when you submit your request.
In the request body, provide your enrollment data and a certificate or PGP public key to encrypt the issued certificates. See CSV requirements for server-side keypair generation.
A successful request returns a response status code of 200 OK
. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.
Example requests and responses
Server-side keypair generation: MAC addresses
To use MAC addresses to create a batch enrollment job using server-side keypair generation, submit a POST request to the following API endpoint:
{{base_url}}/iot/api/v1/enrollment-profile/{{enrollment_profile_id}}/batch-enroll-key-gen-mac
Format your request as follows:
In the request URL:
Replace
{{base_url}}
with the base URL for your instance of DigiCert ONE (for example,https://one.digicert.com
).Replace
{{enrollment_profile_id}}
with the ID of your enrollment profile. You can copy the enrollment profile ID from the enrollment profile details page, or retrieve it from the API (see List enrollment profiles).
Set the value of the
Content-Type
header tomultipart/form-data
.Include authentication credentials for your chosen authentication method.
API token
Include the custom header
x-api-key
with the API token belonging to the user or service user creating the batch job.Passcode
Include the custom header
passcode
containing a valid passcode for authenticating to the enrollment profile.Authentication certificate
In the request URL, prefix the hostname with
clientauth
(for example,https://clientauth.one.digicert.com
). Present a trusted authentication certificate when you submit your request.
In the request body, provide your enrollment data and a certificate or PGP public key to encrypt the issued certificates. See MAC address requirements for server-side keypair generation.
A successful request returns a response status code of 200 OK
. The response includes the ID of the newly created batch job. Store this ID, as you need it to complete the batch enrollment flow.
Example requests and responses
Check batch job status
DigiCert® IoT Trust Manager processes batch jobs in the order they are received. After submitting a request to start a batch job, you can track its progress by using the API to poll batch job status.
To get the status of a batch job, submit a GET request to the following endpoint:
{{base_url}}/iot/api/v1/batch-enroll/{{job_id}}
Tip
For detailed information about this endpoint, see the API reference: Batch job details.
In the request URL:
Replace
base_url
with the base URL of your DigiCert ONE instance (for example,https://one.digicert.com
).Replace
{{job_id}}
with the batch job ID returned when you created the batch job.
This endpoint returns a status
field with the current batch job status.
Jobs that are
PENDING_APPROVAL
must be approved before DigiCert® IoT Trust Manager processes the enrollments.Jobs that are
IN_PROGRESS
are currently processing.Jobs that are
COMPLETE
are ready to download.
Example request and response
What's next?
After you submit a request to start a batch enrollment job, the next step depends on whether the enrollment profile requires certificate approvals.
When approvals are required
If the enrollment profile requires certificate approvals, a user with the right permissions must approve the batch job before DigiCert® IoT Trust Manager processes the enrollments in your request.
After receiving your request to start a batch job, DigiCert® IoT Trust Manager sends notifications to the approvers listed in the enrollment profile's configuration. To approve or reject the batch job, approvers can follow the instructions in the approval notification. Alternatively, if you want to manage approvals using the API, see manage batch job approvals.
When requests are auto-approved
If the enrollment profile auto-approves certificate requests, DigiCert® IoT Trust Manager immediately approves the job and queues it for processing. When processing begins, the status
of the batch job changes from APPROVED
to IN_PROGRESS
. When the batch job status
is COMPLETE
, you can download the certificates.