Transport Layer Security (TLS)
Transport Layer Security (TLS) uses encryption to secure network communication.
Redis Cloud Fixed, Flexible, and Annual subscriptions can use TLS to encrypt data communications between applications and Redis databases.
Use TLS with Redis Cloud
TLS is not enabled by default.
When you enable TLS, you also need to decide whether to enable client authentication, which requires that all database clients present a valid client certificate for authentication.
Client authentication is not required by Redis Cloud; however, it is strongly recommended.
Enable TLS
To enable TLS for a Redis Cloud database.
-
Select the Databases command from the admin console menu to open the View Databases screen and then select your database from the list.
-
Select the Edit icon to edit the database.
-
In the Access Control & Security section, enable the SSL Client Authentication setting.
-
Decide whether you want to enforce client authentication (also known as “mutual authentication”). By enabling client authentication, only those clients that present a valid certificate will be able to connect. If you do not want to require client authentication, skip to step 8.
-
To require client authentication, select Enforce client authentication.
-
Next, either provide an X.509 certificate containing a public key for your client or use the Generate Client Certificate button to generate one.
-
If you generate your certificate using the admin console, then a download will begin containing the following artifacts:
redislabs_user.crt
– the certificate’s public key.redislabs_user_private.key
– the certificate’s private key.redislabs_ca.pem
– the Redis Cloud CA certificate.
-
Select the Update button to apply your changes and enable TLS.
Connect over TLS
To connect to a Redis Cloud database over TLS, you will need:
- A Redis client that supports TLS
- The Redis Cloud CA certificate
Certificates
If you don’t have the Redis Cloud CA certificate, you can download it from the admin console by going to Settings and selecting the Flexible Plans CA button.
If you’re requiring client authentication, you’ll also need public and private client keys. See Enabling TLS for details.
Connect with the Redis CLI
Here’s how to use the Redis CLI to connect to a TLS-enabled Redis Cloud database:
If you’re not requiring client authentication, then you need to provide the host, port, and the Redis Cloud CA certificate:
redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls
--cacert redislabs_ca.pem
If you’ve enabled client authentication, then you also need to provide your client’s private and public keys:
redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls --cacert redislabs_ca.pem
--cert redislabs_user.crt --key redislabs_user_private.key
Endpoint and port details are available from the View Database details screen.