Zerops Certificate Authority
Zerops issues TLS certificates for its managed services (for example PostgreSQL via pgBouncer, or Valkey TLS ports) from its own internal Certificate Authority. When you connect to one of these endpoints over TLS from outside Zerops — your laptop, CI runner, or another piece of infrastructure — the client needs to trust the Zerops CA in order to verify the certificate and complete the handshake.
Download the CA
The Zerops root CA is published as a single PEM file at:
Fetch it directly:
The downloaded file is a standard PEM-encoded certificate. You can inspect it with openssl:
Inside Zerops
If your application or client runs inside a Zerops container, you do not need to download anything — the CA is already available on the local filesystem at:
Point your TLS client at that path the same way you would point it at a downloaded copy (sslrootcert=/etc/zerops-zembed/ca.crt, --cacert /etc/zerops-zembed/ca.crt, etc.). It is the same certificate that https://app.zerops.io/ca serves.
The Zerops CA is also pre-installed into the system trust store of every Zerops container, so most TLS libraries will verify Zerops-signed certificates without any explicit --cacert / sslrootcert configuration. You can confirm this in your own container with any of the following:
# 1) Subject hash → matching symlink in the system trust dir (Debian/Ubuntu)
ls -l "/etc/ssl/certs/$(openssl x509 -noout -subject_hash -in /etc/zerops-zembed/ca.crt).0"
# e.g. /etc/ssl/certs/59e8696a.0 -> service-intermediate.pem
# 2) Verify the CA file against the merged system bundle
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/zerops-zembed/ca.crt
# expected: /etc/zerops-zembed/ca.crt: OK
# 3) End-to-end: handshake against a Zerops-signed endpoint without -CAfile
openssl s_client -connect <service-hostname>:6380 -verify_return_error </dev/null
# look for: Verify return code: 0 (ok)
When to use it
Use the Zerops CA whenever your client needs to verify a TLS certificate issued by Zerops. The most common cases are:
- Connecting to a managed PostgreSQL over the public TLS port (
6432, via pgBouncer) - Connecting to managed Valkey on its TLS ports (
6380, or7001in HA setups) - Any other Zerops-signed TLS endpoint reached from outside the project's private network
The same CA also signs internal TLS endpoints, so it can be useful when verifying certificates from inside a Zerops project too.
You do not need the CA for HTTPS traffic on .zerops.app subdomains or on custom domains — those use publicly-trusted certificates (Let's Encrypt by default), which every operating system already trusts.
Usage examples
psql (PostgreSQL)
Pass the CA via sslrootcert and require certificate verification with sslmode=verify-full:
Or as a connection string:
redis-cli (Valkey)
openssl s_client (debugging)
To confirm the TLS handshake and inspect the served certificate chain:
System-wide trust
To trust the Zerops CA system-wide (so clients pick it up automatically without an explicit flag):
- Debian/Ubuntu: copy to
/usr/local/share/ca-certificates/zerops-ca.crtand runsudo update-ca-certificates - macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain zerops-ca.pem - Alpine: copy to
/usr/local/share/ca-certificates/zerops-ca.crtand runupdate-ca-certificates
For application code, most TLS libraries accept a custom CA bundle without modifying system trust — for example PGSSLROOTCERT for libpq, tls.RootCAs in Go, or the ca option in Node's tls module.