Certificate

The certificates endpoints allow you to retrieve the public certificate used by the Postgres server for encrypting connections with SSL. Retrieving the certificate isn't necessary to connect to a provisioned Crunchy Bridge Postgres cluster, but can be used by connecting clients to verify the server's authenticity.

Connections from clients will be encrypted by virtue of using secure TCP/IP connections with SSL, but unless a client pins the public key of the server it's expecting to find, it's potentially vulnerable to a man-in-the-middle attack whereby an attacker intercepts a connection and presents their own valid SSL public key. Clients in production and other sensitive environments should always be configured with their server's certificate (retrieved from the "get" endpoint below) to protect against this attack.

Certificates and their corresponding keys are generated on a per-team basis, meaning that all clusters owned by the same team will use the same pair.

Part of the API reference collection

This page is part of the Crunchy Bridge API reference, and primarily meant to act as an exhaustive guide for technical integrations which are already in progress. To understand the basics of using the API, see API concepts and getting started.

Get certificate

Get a public certificate for a team.

Note the use of .pem at the end of the URL path, which tells the API to retrieve a team's certificate rather than a JSON representation of the team itself.

Unlike many other endpoints, certificates are returned as a PEM chain instead of JSON. PEM is a common format that encodes X.509 certificates in base-64, and compatible with most programs that are aware of public key cryptography.

GET /teams/{team_id}.pem

Request

Path parameters

  • team_id: Unique ID of the team to get certificates for.

cURL example

curl -X GET https://api.crunchybridge.com/teams/{team_id}.pem
    -H "Authorization: Bearer $CRUNCHY_API_KEY"

Response

Status: 200

Content type: application/pem-certificate-chain

Example

-----BEGIN CERTIFICATE-----
MIIBpTCCAUqgAwIBAgIJAOpVdLgUZI57MAoGCCqGSM49BAMDMCUxIzAhBgNVBAMM
GnF2Y3c0aHlsb3ZneXpid3pwNTNibW1saGdhMB4XDTIxMDQyMDIxMjcxOFoXDTQx
MDQxNTIxMjcxOFowJTEjMCEGA1UEAwwacXZjdzRoeWxvdmd5emJ3enA1M2JtbWxo
Z2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuvZSMx1nB3ZTh4VXD8FhJdYOm
qaUkmS8Am5eIYz2phijntduqEgaZ9f5NZHnM3Jh/rixE2mf8y3lRTObUsv9/o2Mw
YTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU+cOX
IU6+6L8fwxAZOwgjhTS6zd4wHwYDVR0jBBgwFoAU+cOXIU6+6L8fwxAZOwgjhTS6
zd4wCgYIKoZIzj0EAwMDSQAwRgIhAJrYnMLLYuGYKlbnUCTmHxXQlCVNUzye1AhH
BMr9EXiFAiEA5OXXHiJkSyZtKyqDpDJmsKvTkKT5CHa7/vnaOZkZZzE=
-----END CERTIFICATE-----