Request certificates with server-side keypair generation
Learn how to use the DigiCert® IoT Trust Manager REST API to request certificates using server-side keypair generation
When you request certificates with DigiCert® IoT Trust Manager, you can use server-side keypair generation as an alternative to providing a certificate signing request (CSR) in the enrollment request. Certificate requests that use server-side keypair generation do not include a CSR. Instead, DigiCert® IoT Trust Manager generates the private key and returns it with the end-entity certificate in the API response.
Prerequisites
To request certificates using server-side keypair generation, you need:
API authentication credentials, such as an API token, service user API token, or client authentication certificate, for a user or service user with permission to manage certificates.
Enrollment profile with the following attributes:
Supports the API enrollment method (
enrollment_methods
includesAPI
).Allows server-side keypair generation (
key_generation_option
is eitherserver_side
orclient_or_server_side
).
Ability to send API requests.
Request parameters
To request or renew a certificate using server-side keypair generation, submit a POST request to the appropriate API endpoint:
In your JSON payload, use the request parameters described below. The structure and required parameters vary depending on your chosen private key format (private_key_format
). For example payloads for each private key format, see Examples.
Tip
This guide focuses on the parameters used to create a certificate request using server-side keypair generation. To see all options available when submitting a certificate request, see the Swagger UI API reference:
Name | Req/Opt | Type | Description |
---|---|---|---|
| required | string | ID of the enrollment profile. For server-side keypair generation, use an enrollment profile that:
|
| conditional | array of objects | List of objects with the "certificate_profile_attributes": [ { "id": "<id>", "value": "<value>" }, ... ] The enrollment profile configuration determines which certificate attributes are required in the certificate request. If you aren't sure which attributes to use, you can get an example JSON payload from DigiCert® IoT Trust Manager. Note: For a list of allowed |
| conditional | array of objects | List of objects with the "device_attributes": [ { "id": "<id>", "value": "<value>" }, ... ] The enrollment profile configuration determines which device attributes are required in the certificate request. If you aren't sure which attributes to use, you can get an example JSON payload from DigiCert® IoT Trust Manager. |
| conditional | bool | To use server-side keypair generation, this parameter must be present in your request with a If |
| optional | string | Determines the key type for keypair generation. This parameter is ignored if the key type for server-side keypair generation is fixed in the enrollment profile ( You must choose a key type your enrollment profile supports. If not provided, DigiCert® IoT Trust Manager generates the private key using the default key type set for the enrollment profile. Allowed key types are limited by the certificate profile associated with the enrollment profile in the request. Allowed key types may include:
|
| conditional | string | Determines the format of the private key (
|
| optional | string | Determines the private key syntax. Allowed values:
|
| conditional | string | Password that protects the PKCS12 file containing the private key. Required if the value of the |
| optional | bool | If By default, the returned file also includes the issuing intermediate and root CAs. To omit the certificate chain from the returned file, use Passing in a
|
| optional | bool | If Additionally, if using server-side keypair generation with a |
Examples
The following examples demonstrate how to request certificates using server-side keypair generation for each private key format. Each usage example includes:
Example JSON request and response bodies.
Example commands for decoding and, if applicable, decrypting the returned private key.
To get the private key in PEM format, set the value of the private_key_format
parameter to pem
in the JSON body of your request.
In the default JSON response, DigiCert® IoT Trust Manager returns the private key as a PEM-formatted string.
To get the private key in DER format, set the value of the private_key_format
parameter to der
in the JSON body of your request.
In the default JSON response, DigiCert® IoT Trust Manager returns the private key as base64-encoded DER binary.
Decode DER file
After obtaining the base64 private_key
value, you can decode it to DER file. For example, on Mac or Linux systems, use the base64
command.
To run this example, replace the placeholder values:
<base64_encoded_DER_binary>
: Value ofprivate_key
parameter in API response.<output.der>
: Name of DER output file.
To get the private key in PKCS12 format, format your request payload as follows:
Set the value of the
private_key_format
parameter topkcs_12
.Use the
pkcs12_password
parameter to set a password for the PKCS12 file. The password must be between 6-20 characters long, and allowed characters are A-Z, a-z, and 0-9.
Decode PFX file
After obtaining the base64 private_key
value, you can decode it to PFX file. For example, on Mac or Linux systems, use the base64
command.
To run this example, replace the placeholder values:
<base64_encoded_PKCS12_file>
: Value ofprivate_key
parameter in API response.<output.pfx>
: Name of PFX output file.
Extract private key and certificates from PFX file
After decoding your PFX file, you can extract the private key and certificates.
For example, if your operating system includes OpenSSL, use the pkcs12
command. When prompted, enter the password you provided in the certificate request.
To return a private_key
value containing the encrypted private key, end-entity certificate, and (if requested) complete certificate chain, format your request payload as follows:
Set the value of the
private_key_format
request parameter tocert_encrypted
.Use the
encryption_certificate
request parameter to provide a PEM-formatted end-entity certificate that DigiCert® IoT Trust Manager can use to encrypt the private key.
This option returns a certificate bundle (ZIP file) containing your issued certificate and private key. DigiCert® IoT Trust Manager encrypts the certificate bundle and returns it as a P7M file. In the default JSON response, the private_key
parameter returns the base64-encoded P7M file.
To access your certificate bundle:
Decrypt the P7M file with your encryption certificate and the corresponding private key.
Decompress the resulting ZIP bundle.
Example JSON request for certificate-encrypted bundle:
Decode certificate bundle
After obtaining the base64 private_key
value, you can decode it to an encrypted P7M file. For example, on Mac or Linux systems, use the base64
command.
To run this example, replace the placeholder values:
<base64_private_key>
: Value ofprivate_key
parameter in API response.<output.p7m>
: Name of P7M output file.
Decrypt certificate bundle
After decoding your certificate bundle, you can decrypt it to a ZIP file by using the encryption certificate that was included in the enrollment request.
For example, if your operating system includes OpenSSL, use the smime
command:
To run this example, replace the placeholder values:
<input.p7m>
: P7M file with private key you want to decrypt.<output.zip>
: Name of ZIP output file to which the decrypted certificate bundle is written.<encryption_key.key>
: Path to private key for your encryption certificate.<encryption_certificate.pem>
: Path to your encryption certificate.
To get a private_key
response parameter that only contains the encrypted private key, format your request payload as follows:
Set the value of the
private_key_format
request parameter tocert_encrypted_key_only
.Use the
encryption_certificate
request parameter to provide the PEM-formatted end-entity certificate that DigiCert® IoT Trust Manager uses to encrypt the private key.
Use this option as an alternative to encrypting the entire certificate bundle.
Note
When using cert_encrypted_key_only
, the API still returns the issued certificate (and, if requested, the complete certificate chain) in the pem
field.
Decode private key
After obtaining the base64 private_key
value, you can decode it to an encrypted P7M file. For example, on Mac or Linux systems, use the base64
command.
To run this example, replace the placeholder values:
<base64_private_key>
: Value ofprivate_key
parameter in API response.<output.p7m>
: Name of P7M output file.
Decrypt private key
After decoding your private key, you can decrypt it to a PEM or KEY file by using the encryption certificate that was included in the enrollment request.
For example, if your operating system includes OpenSSL, use the smime
command:
To run this example, replace the placeholder values:
<input.p7m>
: P7M file with private key you want to decrypt.<output.pem/key>
: Name of PEM or KEY output file to which the decrypted private key is written.<encryption_key.key>
: Path to private key for your encryption certificate.<encryption_certificate.pem>
: Path to your encryption certificate.
Get example JSON payloads from DigiCert® IoT Trust Manager
DigiCert® IoT Trust Manager provides example JSON payloads that you can copy and modify to construct valid certificate requests for each enrollment profile in your account. Each of these examples includes the required certificate and device attributes that are associated with the given enrollment profile. To get example JSON payloads for API enrollment requests:
In DigiCert ONE, in the Manager menu (top right), select DigiCert® IoT Trust Manager.
In the DigiCert® IoT Trust Manager menu, select Enrollment configurations > Enrollment profiles.
On the Enrollment profiles page, locate the enrollment profile you are using to request certificates via API.
On the Enrollment profile details page, scroll to the API section.
Select the operation you want to perform (Enroll certificate or Renew certificate).
Under Individual certificate requests, expand the example for server-side keypair generation: DigiCert ONE generates keypairs.
Under Sample body, copy the JSON example and paste it into the text editor or HTTP client of your choice.