diff --git a/proxy/Cargo.toml b/proxy/Cargo.toml
index 97301fa574..0ec2276697 100644
--- a/proxy/Cargo.toml
+++ b/proxy/Cargo.toml
@@ -113,6 +113,7 @@ p256 = "0.13"
 rsa = "0.9"
 
 quinn = { version = "0.11", features = [] }
+rcgen.workspace = true
 
 workspace_hack.workspace = true
 
@@ -121,7 +122,6 @@ camino-tempfile.workspace = true
 fallible-iterator.workspace = true
 tokio-tungstenite.workspace = true
 pbkdf2 = { workspace = true, features = ["simple", "std"] }
-rcgen.workspace = true
 rstest.workspace = true
 tokio-postgres-rustls.workspace = true
 walkdir.workspace = true
diff --git a/proxy/src/bin/pglb.rs b/proxy/src/bin/pglb.rs
index dee99850fd..b8e1c78814 100644
--- a/proxy/src/bin/pglb.rs
+++ b/proxy/src/bin/pglb.rs
@@ -1,8 +1,13 @@
+use std::net::SocketAddr;
+
+use anyhow::Context;
 use quinn::Endpoint;
 
 #[tokio::main]
 async fn main() {
-    let endpoint: Endpoint = endpoint_config().await.unwrap();
+    let endpoint: Endpoint = endpoint_config("0.0.0.0:5634".parse().unwrap())
+        .await
+        .unwrap();
 
     let quinn_handle = tokio::spawn(quinn_server(endpoint.clone()));
 
@@ -11,8 +16,24 @@ async fn main() {
     quinn_handle.await.unwrap();
 }
 
-async fn endpoint_config() -> anyhow::Result<Endpoint> {
-    todo!()
+async fn endpoint_config(addr: SocketAddr) -> anyhow::Result<Endpoint> {
+    use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
+
+    let mut params = rcgen::CertificateParams::new(vec!["pglb".to_string()]);
+    params
+        .distinguished_name
+        .push(rcgen::DnType::CommonName, "pglb");
+    let key = rcgen::KeyPair::generate(&rcgen::PKCS_ECDSA_P256_SHA256).context("keygen")?;
+    params.key_pair = Some(key);
+
+    let cert = rcgen::Certificate::from_params(params).context("cert")?;
+    let cert_der = cert.serialize_der().context("serialize")?;
+    let key_der = cert.serialize_private_key_der();
+    let cert = CertificateDer::from(cert_der);
+    let key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_der));
+
+    let config = quinn::ServerConfig::with_single_cert(vec![cert], key).context("server config")?;
+    Endpoint::server(config, addr).context("endpoint")
 }
 
 async fn quinn_server(_ep: Endpoint) {