Transport Layer Security (TLS)
Transport Layer Security (TLS) uses encryption to secure network communications.
Redis Cloud Fixed, Flexible, and Annual subscriptions can use TLS to encrypt data communications between applications and Redis databases.
Use TLS with Redis Cloud
TLS is not enabled by default.
TLS recommendations
Because TLS has an impact on performance, you need to determine whether the security benefits of TLS are worth the performance impact. TLS recommendations depend on the subscription plan and whether clients connect to your database using public or private endpoints.
This table shows TLS recommendations:
Subscription | Public endpoint | Private endpoint |
---|---|---|
Fixed | Enable TLS | N/A |
Flexible | Enable TLS | Enable TLS if security outweighs performance impact |
Annual | Enable TLS | Enable TLS if security outweighs performance impact |
Client authentication
When you enable TLS, you can optionally require client authentication (also known as “mutual authentication”). If enabled, all clients must present a valid client certificate when they connect to the database.
Client authentication is not required by Redis Cloud; however, it is strongly recommended.
Enable TLS
To enable TLS for a Redis Cloud database:
-
Select Databases from the admin console menu and then select your database from the list.
-
From the database’s Configuration screen, select the Edit database button:
-
In the Security section, use the Transport layer security (TLS) toggle to enable TLS:
-
Select the Download server certificate button to download the Redis Cloud certificate bundle
redis_ca.pem
: -
Decide whether you want to require client authentication:
-
If you only want clients that present a valid certificate to be able to connect, continue to the next step.
-
If you do not want to require client authentication, skip to the final step to apply your changes.
-
-
To require client authentication, select the TLS client authentication checkbox.
-
Either provide an X.509 certificate that contains a public key for your client or select Generate certificate to create one:
If you generate your certificate from the admin console, a ZIP file download will start. The download contains:
-
redis_user.crt
– the certificate’s public key. -
redis_user_private.key
– the certificate’s private key.
-
-
To apply your changes and enable TLS, select the Save database button:
Connect over TLS
To connect to a Redis Cloud database over TLS, you need:
- A Redis client that supports TLS
- Redis Cloud CA certificates
Download certificates
If you don’t have the Redis Cloud CA certificates, you can download them from the admin console:
-
Either select Account Settings from the admin console menu or go to the database’s Configuration screen.
-
Go to the Security section.
-
For Redis Cloud certificate authority, either:
The download contains a file called redis_ca.pem
, which includes the following certificates:
-
Self-signed Redis Cloud Fixed plan Root CA (deprecated but still in use)
-
Self-signed Redis Cloud Flexible plan Root CA and intermediate CA (deprecated but still in use)
-
Publicly trusted GlobalSign Root CA
To inspect the certificates in redis_ca.pem
, run the keytool
command:
keytool -printcert -file ./redis_ca.pem | grep "Owner:"
You can add redis_ca.pem
to the trust store or pass it directly to a Redis client.
If your database requires client authentication, you also need the public (redis_user.crt
) and private (redis_user_private.key
) client keys. See
Enable TLS for details.
Connect with the Redis CLI
Here’s how to use the Redis CLI to connect to a TLS-enabled Redis Cloud database.
Endpoint and port details are available from the Databases list or the database’s Configuration screen.
Without client authentication
If your database doesn’t require client authentication, then provide the Redis Cloud CA certificate bundle (redis_ca.pem
) when you connect:
redis-cli -h <endpoint> -p <port> --tls --cacert redis_ca.pem
With client authentication
If your database requires client authentication, then you also need to provide your client’s private and public keys:
redis-cli -h <endpoint> -p <port> --tls --cacert redis_ca.pem \
--cert redis_user.crt --key redis_user_private.key