Transport Layer Security (TLS) uses encryption to secure network communications.

Redis Cloud Fixed, Flexible, and Annual subscriptions can use TLS to encrypt data communications between applications and Redis databases.

Use TLS with Redis Cloud

TLS is not enabled by default.

TLS recommendations

Because TLS has an impact on performance, you need to determine whether the security benefits of TLS are worth the performance impact. TLS recommendations depend on the subscription plan and whether clients connect to your database using public or private endpoints.

This table shows TLS recommendations:

Subscription Public endpoint Private endpoint
Fixed Enable TLS N/A
Flexible Enable TLS Enable TLS if security outweighs performance impact
Annual Enable TLS Enable TLS if security outweighs performance impact

Client authentication

When you enable TLS, you can optionally require client authentication (also known as “mutual authentication”). If enabled, all clients must present a valid client certificate when they connect to the database.

Client authentication is not required by Redis Cloud; however, it is strongly recommended.

Enable TLS

To enable TLS for a Redis Cloud database:

  1. Select Databases from the admin console menu and then select your database from the list.

  2. From the database’s Configuration screen, select the Edit database button:

    The Edit database button lets you change selected database properties.
  3. In the Security section, use the Transport layer security (TLS) toggle to enable TLS:

    Use the Transport Layer Security toggle to enable TLS.
  4. Select the Download server certificate button to download the Redis Cloud certificate bundle redis_ca.pem:

    Use the Download server certificate button to download the Redis Cloud CA certificates.
  5. Decide whether you want to require client authentication:

    • If you only want clients that present a valid certificate to be able to connect, continue to the next step.

    • If you do not want to require client authentication, skip to the final step to apply your changes.

  6. To require client authentication, select the TLS client authentication checkbox.

  7. Either provide an X.509 certificate that contains a public key for your client or select Generate certificate to create one:

    Provide or generate a certificate for TLS client authentication.

    If you generate your certificate from the admin console, a ZIP file download will start. The download contains:

    • redis_user.crt – the certificate’s public key.

    • redis_user_private.key – the certificate’s private key.

  8. To apply your changes and enable TLS, select the Save database button:

    Use the Save database button to save database changes.
Note:
Once you’ve enabled TLS, all client connections to your database must use TLS. Unencrypted connections will no longer be permitted.

Connect over TLS

To connect to a Redis Cloud database over TLS, you need:

  • A Redis client that supports TLS
  • Redis Cloud CA certificates

Download certificates

If you don’t have the Redis Cloud CA certificates, you can download them from the admin console:

  1. Either select Account Settings from the admin console menu or go to the database’s Configuration screen.

  2. Go to the Security section.

  3. For Redis Cloud certificate authority, either:

    • Select the Download button to download the certificates from Account Settings:

      Use the Download button to download the Redis Cloud CA certificates.
    • Select the Download server certificate button to download the certificates from the database’s Configuration screen:

      Use the Download server certificate button to download the Redis Cloud CA certificates.

The download contains a file called redis_ca.pem, which includes the following certificates:

  • Self-signed Redis Cloud Fixed plan Root CA (deprecated but still in use)

  • Self-signed Redis Cloud Flexible plan Root CA and intermediate CA (deprecated but still in use)

  • Publicly trusted GlobalSign Root CA and intermediate CA

To inspect the certificates in redis_ca.pem, run the keytool command:

keytool -printcert -file ./redis_ca.pem | grep "Owner:"

You can add redis_ca.pem to the trust store or pass it directly to a Redis client.

If your database requires client authentication, you also need the public (redis_user.crt) and private (redis_user_private.key) client keys. See Enable TLS for details.

Connect with the Redis CLI

Here’s how to use the Redis CLI to connect to a TLS-enabled Redis Cloud database.

Endpoint and port details are available from the Databases list or the database’s Configuration screen.

Without client authentication

If your database doesn’t require client authentication, then provide the Redis Cloud CA certificate bundle (redis_ca.pem) when you connect:

redis-cli -h <endpoint> -p <port> --tls --cacert redis_ca.pem

With client authentication

If your database requires client authentication, then you also need to provide your client’s private and public keys:

redis-cli -h <endpoint> -p <port> --tls --cacert redis_ca.pem \
    --cert redis_user.crt --key redis_user_private.key