Transport Layer Security (TLS)
Transport Layer Security (TLS), commonly called “SSL”, ensures the privacy of data sent between applications and their Redis databases. TLS is available in Redis Cloud Pro and Redis Cloud Ultimate.
Using TLS with Redis Cloud
TLS is not enabled by default for Redis Cloud databases. To use TLS, you must first enable it.
When you enable TLS, you also need to decide whether to enable client authentication. With client authentication, all clients connecting to your database will be required to present a valid client certificate for the connection to succeed. Although client authentication is not required by Redis Cloud, we do recommend it.
Here’s how to enable TLS for a Redis Cloud database.
- From the admin console, navigate to the View Database screen for your database.
- Click on the edit icon to enter the Edit Database screen.
- Under the Access Control & Security subsection, click the SSL Client Authentication slider.
Decide whether you want to require client authentication (also known as “mutual authentication”). By enabling client authentication, only those clients that present a valid certificate will be able to connect. If you do not want to require client authentication, skip to step 8.
To require client authentication, select Enforce client authentication.
Next, either provide an X.509 certificate containing a public key for your client, or generate one by clicking Generate Client Certificate.
If you generate your certificate using the admin console, then a download will begin containing the following artifacts:
redislabs_user.crt– the certificate’s public key.
redislabs_user_private.key– the certificate’s private key.
redislabs_ca.pem– the Redis Cloud CA certificate.
Click the Update button to apply your changes and enable TLS.
Connecting over TLS
To connect to a Redis Cloud database over TLS, you will need:
- A Redis client that supports TLS
- The Redis Cloud CA certificate
If you don’t have the Redis Cloud CA certificate, you can download it again from the admin console by going to Settings and clicking on Pro CA.
In addition, if you’re requiring client authentication, then you’ll need a public and private client key. See Enabling TLS for where to get these files.
Connecting with the Redis CLI
Here’s a quick example of how to connect to your TLS-enabled Redis Cloud database using the Redis CLI.
If you’re not requiring client authentication, then you only need to provide the host, port, and the the Redis Cloud CA certificate:
redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls --cacert redislabs_ca.pem
If you’ve enabled client authentication, then you also need to provide your client’s private and public keys:
redis-cli -h redis.123.cloud.rlrcp.com -p 16257 --tls --cacert redislabs_ca.pem --cert redislabs_user.crt --key redislabs_user_private.key