Skip to main content

Authentication uses mTLS for client authentication.

Certificate Generation

In your initial onboarding email from SpaceX, you were instructed to generate a secret key and a certificate signing request (CSR) with a command like (with CN, O, OU set to real values):

$ openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes -keyout client.key -sha384 -out client.csr -subj "/CN=funspacecorp/O=Fun Space Corp/OU=Operations"

This generates:

  • client.key: Your secret key. Don't share this with anyone, and consult your internal security/IT team if you have questions about handling private key material.
  • client.csr: Your CSR. Send to SpaceX so we can sign it for either our production or staging environments.

The CN, or "Common Name", is associated with your account. The O and OU fields are metadata, and are informational only.

After sending the CSR to SpaceX, you will receive a client.crt file.

Browser certs

The examples in the Quick-Start Guide should be enough to get you started using the API programmatically, but the Swagger docs can be useful for interacting with the API in your browser.

You can use the following command to bundle your key and certificate into a single .p12 file compatible with most modern web browsers:

$ openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt

For example, on Google Chrome, navigate to "Privacy and Security" → "Security" → "Manage Device Certificates", which will direct you to a location to place the file.