Quave One Root CA

Quave One operates an internal Public Key Infrastructure (PKI) that signs every TLS certificate used by our internal services (managed databases, internal dashboards, cluster-to-cluster traffic, VPN, etc.). All of these certificates chain up to a single Quave One Root CA.

To verify a Quave One internal service from your application, machine, or CI pipeline, you only need to trust this one root certificate. All intermediates are delivered automatically as part of the TLS handshake.

Rollout — April 2026

Quave One is adopting this unified Root CA format starting in April 2026. New environments are issued certificates chained to the Quave One Root CA automatically.

If you install the Quave One Root CA and your application still fails to validate a Quave One service, that environment is most likely still running on the legacy per-environment certificate format. Open a ticket with Quave One support to request an update — they will migrate the environment to the new format.

When do I need this?

You need to install the Quave One Root CA when:

Your application connects to a Quave One managed service (Redis, Postgres, MongoDB, internal HTTPS endpoints) and you see errors such as unable to get local issuer certificate, x509: certificate signed by unknown authority, SSL certificate problem: self-signed certificate in certificate chain, or PKIX path building failed.
You are using a client tool (psql, mongosh, redis-cli, curl, browsers) on a workstation that talks to internal Quave One endpoints.
You run a CI/CD job that needs to reach an internal Quave One service.

You do not need to install it when talking to Quave One public endpoints (e.g. *.quave.one served through the public ingress) — those use publicly trusted certificates issued by Let's Encrypt / commercial CAs.

Download

Download quave-one-root-ca.crt

Verify the fingerprint

Always verify the fingerprint of the certificate you downloaded against the value published below before installing it in a trust store. This protects you from a tampered download.

SHA-256: FE:E0:D4:A9:99:8D:1E:A7:38:55:45:51:B6:5A:44:11:58:10:69:87:5A:66:15:DC:64:A2:D5:A9:1A:14:34:16

Compute the fingerprint locally with OpenSSL and compare:

openssl x509 -in quave-one-root-ca.crt -noout -fingerprint -sha256

The two values must match character by character.

info

The root certificate is public. It only contains the public key; it does not grant any access. The matching private key is kept offline and is never distributed.

Install in the operating system trust store

Once installed at the OS level, most tools (curl, browsers, system package managers, etc.) automatically pick up the trust.

Linux — Debian / Ubuntu

sudo cp quave-one-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Linux — RHEL / Fedora / CentOS / Rocky / AlmaLinux

sudo cp quave-one-root-ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Linux — Alpine

sudo cp quave-one-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

macOS

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain quave-one-root-ca.crt

You can also double-click the .crt file, import it into Keychain Access under the System keychain, and set it to Always Trust.

Windows

PowerShell (run as Administrator):

Import-Certificate -FilePath .\quave-one-root-ca.crt `
  -CertStoreLocation Cert:\LocalMachine\Root

Or use the GUI: double-click the file → Install Certificate → Local Machine → Place all certificates in the following store → Trusted Root Certification Authorities.

Install in language and runtime trust stores

Some runtimes ship their own CA bundles and ignore the OS trust store. Use the instructions below in that case.

Node.js

Set NODE_EXTRA_CA_CERTS to the path of the root certificate before starting your process:

export NODE_EXTRA_CA_CERTS=/path/to/quave-one-root-ca.crt
node app.js

In Docker or Kubernetes, expose it through an environment variable and mount the file.

Python (`requests`, `httpx`, `urllib3`)

Set REQUESTS_CA_BUNDLE (and SSL_CERT_FILE as a fallback for other libraries):

export REQUESTS_CA_BUNDLE=/path/to/quave-one-root-ca.crt
export SSL_CERT_FILE=/path/to/quave-one-root-ca.crt

Alternatively, pass verify="/path/to/quave-one-root-ca.crt" directly to the request call.

To append the certificate to the bundle shipped by certifi:

python -c "import certifi; print(certifi.where())"
# append the contents of quave-one-root-ca.crt to the file printed above

Go

Go uses the OS trust store by default on Linux and macOS, so installing it at the OS level is enough. To override explicitly:

pem, err := os.ReadFile("/path/to/quave-one-root-ca.crt")
if err != nil { log.Fatal(err) }

pool := x509.NewCertPool()
pool.AppendCertsFromPEM(pem)

client := &http.Client{
  Transport: &http.Transport{
    TLSClientConfig: &tls.Config{RootCAs: pool},
  },
}

On containerized builds, you can also set SSL_CERT_FILE=/path/to/quave-one-root-ca.crt.

Java / JVM

Import the certificate into the JVM truststore using keytool:

sudo keytool -importcert \
  -alias quave-one-root-ca \
  -file quave-one-root-ca.crt \
  -keystore "$JAVA_HOME/lib/security/cacerts" \
  -storepass changeit \
  -noprompt

For an application-scoped truststore, create a dedicated file and pass it via JVM flags:

keytool -importcert -alias quave-one-root-ca \
  -file quave-one-root-ca.crt \
  -keystore ./truststore.jks -storepass changeit -noprompt

java -Djavax.net.ssl.trustStore=./truststore.jks \
     -Djavax.net.ssl.trustStorePassword=changeit \
     -jar app.jar

Ruby

export SSL_CERT_FILE=/path/to/quave-one-root-ca.crt

.NET

.NET uses the OS trust store on Windows, macOS, and most Linux distributions, so an OS-level install is enough. On minimal containers, set:

export SSL_CERT_DIR=/etc/ssl/certs

and make sure the root is present in that directory.

curl

curl uses the OS trust store by default. To point it at the file explicitly:

curl --cacert /path/to/quave-one-root-ca.crt https://internal.quave.one/...

Browsers

Browsers on Windows and macOS inherit the OS trust store. Firefox ships its own store — import the certificate in Settings → Privacy & Security → Certificates → View Certificates → Authorities → Import… and tick Trust this CA to identify websites.

Use in containers

For Docker / Kubernetes images you typically add two lines to the Dockerfile:

COPY quave-one-root-ca.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

For runtimes that do not read the OS trust store (e.g. Node.js), also set the matching environment variable in the container spec, for example:

env:
  - name: NODE_EXTRA_CA_CERTS
    value: /usr/local/share/ca-certificates/quave-one-root-ca.crt

Troubleshooting

unable to get local issuer certificate — the runtime is not reading the OS trust store. Install the root via the runtime-specific method above.
Certificate installed but still not trusted — the process was started before the certificate was added. Restart the process so it reloads the trust store.
Different fingerprint after download — do not install the certificate. Re-download from this page over HTTPS and, if the mismatch persists, contact Quave One support.

Support

If you are unable to trust the certificate or are seeing errors not covered above, contact Quave One support with:

The exact error message.
The client and runtime versions (e.g. node --version, python --version).
The hostname of the internal service you are trying to reach.

When do I need this?​

Download​

Verify the fingerprint​

Install in the operating system trust store​

Linux — Debian / Ubuntu​

Linux — RHEL / Fedora / CentOS / Rocky / AlmaLinux​

Linux — Alpine​

macOS​

Windows​

Install in language and runtime trust stores​

Node.js​

Python (requests, httpx, urllib3)​

Go​

Java / JVM​

Ruby​

.NET​

curl​

Browsers​

Use in containers​

Troubleshooting​

Support​