The certificates endpoints allow you to retrieve the public certificate used by the Postgres server for encrypting connections with SSL. Retrieving the certificate isn't necessary to connect to a provisioned Crunchy Bridge Postgres cluster, but can be used by connecting clients to verify the server's authenticity.

Connections from clients will be encrypted by virtue of using secure TCP/IP connections with SSL, but unless a client pins the public key of the server it's expecting to find, it's potentially vulnerable to a man-in-the-middle attack whereby an attacker intercepts a connection and presents their own valid SSL public key. Clients in production and other sensitive environments should always be configured with their server's certificate (retrieved from the "get" endpoint below) to protect against this attack.

Certificates and their corresponding keys are generated on a per-team basis, meaning that all clusters owned by the same team will use the same pair.

Part of the API reference collection

This page is part of the Crunchy Bridge API reference, and primarily meant to act as an exhaustive guide for technical integrations which are already in progress. To understand the basics of using the API, see API concepts and getting started.

Get certificate

Get a public certificate for a team.

Note the use of .pem at the end of the URL path, which tells the API to retrieve a team's certificate rather than a JSON representation of the team itself.

Unlike many other endpoints, certificates are returned as a PEM chain instead of JSON. PEM is a common format that encodes X.509 certificates in base-64, and compatible with most programs that are aware of public key cryptography.

GET /teams/{team_id}.pem


Path parameters

  • team_id: Unique ID of the team to get certificates for.

cURL example

curl -X GET https://api.crunchybridge.com/teams/{team_id}.pem
    -H "Authorization: Bearer $CRUNCHY_API_KEY"


Status: 200

Content type: application/pem-certificate-chain