Download certificates

This section describes how to use the API to download a completed batch job.

When the status of a batch job is COMPLETE, you can download the issued certificates and private keys. To do this, submit a GET request to the following API endpoint:

{{base_url}}/iot/api/v1/batch-enroll/{{job_id}}/download-certificates

In the request URL:

• Replace base_url with the base URL of your DigiCert ONE instance (for example, https://one.digicert.com).
• Replace {{job_id}} with the batch job ID returned when you created the batch job.

Response format

When you download certificates for a batch job, the response format depends on two factors:

• Keypair generation method (client-side or server-side)
• Certificate format (JSON, PEM, or DER)

Client-side keypair generation

• PEM/DER If the certificate_format is PEM or DER, the Content-Type header in the API response is application/zip. The download is a compressed ZIP file with the issued certificates.
• JSON If the certificate_format is JSON, the Content-Type header in the API response is application/json. The JSON response contains a list of certificate objects with the issued certificates. See Example response (JSON format).

Server-side keypair generation

• PEM/DER If the certificate_format is PEM or DER, the Content-Type header in the API response is application/pkcs7-mime if you provided a certificate to encrypt the results or application/pgp-encrypted if you used a PGP public key. To access the certificates and private keys, you must decrypt the returned file. For example:
  • P7M file (certificate encrypted)
  • PGP file (PGP public key encrypted)

    openssl smime -binary -decrypt -aes256 -inform DER -in <input.p7m> -out <output.zip> -inkey <encryption_key.key> <encryption_certificate.pem>
    
    To run this example, replace the placeholder values:
    
    - `<input.p7m>`: P7M file you want to decrypt.
    - `<output.pem/key>`: Name of ZIP output file to which the decrypted files are written.
    - `<encryption_key.key>`: Path to private key for your encryption certificate.
    - `<encryption_certificate.pem>`: Path to your encryption certificate.
    

    gpg --output <output.zip> --decrypt <input.pgp>
    
    To run this example, replace the placeholder values:
    
    - `<input.pgp>`: PGP file you want to decrypt.
    - `<output.zip>`: Name of ZIP output file to which the decrypted files are written.
    

• JSON If the certificate_format is JSON, the response has a Content-Type header of application/json. The JSON response contains a list of certificate objects with the issued certificates and encrypted private keys. See Example response (JSON format).

Example response (JSON format)

This example shows the response when you download certificates for a batch enrollment job. For this example:

• The certificate_format is JSON.
• The batch job uses server-side keypair generation, so the response includes both the issued certificates and the encryped private keys.

{
    "job_id": "e6006353-ba03-4909-afc8-c611f00d7644",
    "chain": [
        {
            "cert_type": "intermediate",
            "blob": "MIID5DCCAsy...N/mqQ==",
            "common_name": "ICA RSA"
        },
        {
            "cert_type": "root",
            "blob": "MIIDxDC...fL+7bk=",
            "common_name": "RSA Root"
        }
    ],
    "certificates": [
        {
            "id": "60f0f385-9afa-464b-9811-d337245c4363",
            "unique_identifier": "Line #0000001",
            "body": "-----BEGIN CERTIFICATE-----\nMIID...K8FhP\n-----END CERTIFICATE-----\n",
            "private_key": "MIAGCSq...tLQo="
        },
        {
            "id": "9766ee7c-62d5-47f4-b4cf-475409c62eea",
            "unique_identifier": "Line #0000002",
            "body": "-----BEGIN CERTIFICATE-----\nMIID...3KFxa\n-----END CERTIFICATE-----\n",
            "private_key": "MIAGCSq...LQo="
        }
    ]
}

JSON response parameters