A public key infrastructure (PKI) has been widely deployed and well tested on the Internet. However, this standard practice of delivering scalable security has not yet been extended to the rapidly growing Internet of Things (IoT). Thanks to vendor hardware support and standardization of resource-efficient communication protocols, asymmetric cryptography is no longer unfeasible on small devices. To migrate IoT from poorly scalable, pair-wise symmetric encryption to PKI, a major obstacle remains: how do we certify the public keys of billions of small devices without manual checks or complex logistics? The process of certifying a public key in form of a digital certificate is called enrollment. In this paper, we design an enrollment protocol, called Indraj, to automate enrollment of certificate-based digital identities on resource-constrained IoT devices. Reusing the semantics of the Enrollment over Secure Transport (EST) protocol designed for Internet hosts, Indraj optimizes resource usage by leveraging an IoT stack consisting of Constrained Application Protocol (CoAP), Datagram Transport Layer Security (DTLS) and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN).We evaluate our implementation on a low power 32-bit MCU, showing the feasibility of our protocol in terms of latency, power consumption and memory usage. Asymmetric cryptography enabled by automatic certificate enrollment will finally turn IoT devices into well behaved, first-class citizens on the Internet.