{
  "id": "manage-rec-certificates",
  "title": "Manage Redis Enterprise cluster (REC) certificates",
  "url": "https://redis.io/docs/latest/operate/kubernetes/7.8.4/security/manage-rec-certificates/",
  "summary": "Install your own certificates to be used by the Redis Enterprise cluster's operator.",
  "content": "\nBy default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes added to the cluster. For the list of of certificates used by Redis Enterprise Software and the traffic they encrypt, see the [certificates table]().\n\nTo install and use your own certificates with Kubernetes on your Redis Enterprise cluster, they need to be stored in [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). The REC custom resource also needs to be configured with those secret names to read and use the certificates.\n\n## Create a secret to hold the new certificate\n\nCreate the [secret](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/) with the required fields shown below.\n\n  ```sh\n  kubectl create secret generic \u003csecret-name\u003e \\\n    --from-file=certificate=\u003c/PATH/TO/certificate.pem\u003e \\\n    --from-file=key=\u003c/PATH/TO/key.pem\u003e \\\n    --from-literal=name=\u003cproxy | api | cm | syncer | metrics_exporter\u003e\n  ```\n\n## Update certificates in the REC custom resource\n\nEdit the Redis Enterprise cluster (REC) custom resource to add a `certificates` subsection under the `spec` section. You are only required to add the fields for the certificates you are installing.\n\n```yaml\nspec:\n  certificates:\n    apiCertificateSecretName: \u003capicert-secret-name\u003e\n    cmCertificateSecretName: \u003ccmcert-secret-name\u003e\n    syncerCertificateSecretName: \u003csyncercert-secret-name\u003e\n    metricsExporterCertificateSecretName: \u003cmetricscert-secret-name\u003e\n    proxyCertificateSecretName: \u003cproxycert-secret-name\u003e\n```\n\n### Update certificates through the API\n\nAlternatively, you can also update the REC certificates via the API:\n\n```API\nPUT /v1/cluster/update_cert\n{\n   \"certificate\": \u003ccertificate\u003e, \n   \"key\": \u003ccert-key\u003e,\n   \"name\": \u003ccert-name\u003e \n}\n```\n\n### Verify the certificate was updated\n\nCheck the operator logs and use the API to verify the certificate has been updated.\n\n  ```api\n  GET /v1/cluster/certificates\n  ```\n\n## More info\n\n- [Update certificates]()\n- [Install your own certificates]()\n- [Glossary/Transport Layer Security (TLS)]()\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-04-08T12:21:52-07:00"
}