Updating SSL/TLS certificates
Redis Enterprise Software (RS) uses self-signed certificates to encrypt the following traffic:
- Management UI
- REST API
- Connections between clients and the database endpoint
- Synchronization between databases for ReplicaOf and CRDB
These self-signed certificates are generated on the first node of each RS installation. These certificates are then copied to all other nodes added to the cluster.
How to update SSL/TLS certificates
For versions 5.2.0 and above: (Procedures for previous releases)
Use the REST API to replace the certificate:
curl -k -X PUT -u "<username>:<password>" -H "Content-Type: application/json" -d '{ "name": "<cert_name>", "key": "<key>", "certificate": "<cert>" }' https://<cluster_address>:9443/v1/cluster/update_certWhere:
- cert_name - The name of the certificate to replace:
- For management UI:
cm - For REST API:
api - For database endpoint:
proxy - For syncer:
syncer
- For management UI:
- key - The contents of the *_key.pem file
Tip -The key file contains\nend of line characters (EOL) that you cannot paste into the API call. You can usesed -z 's/\n/\\n/g'to escape the EOL characters.- cert - The contents of the *_cert.pem file
The certificate is copied automatically to all nodes in the cluster.
- cert_name - The name of the certificate to replace:
When you upgrade RS, the upgrade process copies the certificates on the first upgraded node to all of the nodes in the cluster.
TLS version
To set the minimum TLS version that can be used for encrypting various flows, use the REST API or the following rladmin commands:
For the management UI and REST API:
rladmin> cluster config min_control_TLS_version <version, e.g. 1.2>For data path encryption:
rladmin> cluster config min_data_TLS_version <version, e.g. 1.2>
After you set the minimum TLS version, RS does not accept communications with TLS versions older than the specified version.