{
  "id": "certificate-based-authentication",
  "title": "Certificate-based authentication",
  "url": "https://redis.io/docs/latest/operate/rs/7.8/security/certificates/certificate-based-authentication/",
  "summary": "Certificate-based authentication allows secure, passwordless access to the REST API and databases.",
  "content": "\nYou can set up certificate-based authentication for specific users to enable secure, passwordless access to the Redis Enterprise Software [REST API]() and databases.\n\n## Set up certificate-based authentication\n\nTo set up certificate-based authentication:\n\n1. [Add the `mtls_trusted_ca` certificate.](#add-cert) \n\n1. [Configure cluster settings.](#config-cluster)\n\n1. If you want to enable certificate-based authentication for databases, you must [enable mutual TLS for the relevant databases](#enable-mtls-dbs). Otherwise, you can skip this step.\n\n1. [Create certificate auth_method users.](#create-cert-users)\n\n### Add mtls_trusted_ca certificate {#add-cert}\n\nAdd a trusted CA certificate `mtls_trusted_ca` to the cluster using an [update cluster certificate]() request:\n\n```sh\nPUT /v1/cluster/update_cert\n{\n  \"name\": \"mtls_trusted_ca\",\n  \"certificate\": \"\u003ccontent of certificate PEM file\u003e\"\n}\n```\n\n### Configure cluster settings {#config-cluster}\n\n[Update cluster settings]() with mutual TLS configuration.\n\nFor certificate validation by Subject Alternative Name (SAN), use:\n\n```sh\nPUT /v1/cluster\n{\n  \"mtls_certificate_authentication\": true,\n  \"mtls_client_cert_subject_validation_type\": \"san_cn\",\n  \"mtls_authorized_subjects\": [{\n    \"CN\": \"\u003cCommon Name\u003e\"\n  }]\n}\n```\n\nFor certificate validation by full Subject Name, use:\n\n```sh\nPUT /v1/cluster\n{\n  \"mtls_certificate_authentication\": true,\n  \"mtls_client_cert_subject_validation_type\": \"full_subject\",\n  \"mtls_authorized_subjects\": [{\n    \"CN\": \"\u003cCommon Name\u003e\",\n    \"OU\": [\u003carray of Organizational Unit strings\u003e],\n    \"O\": \"\u003cOrganization\u003e\",\n    \"C\": \"\u003c2-letter country code\u003e\",\n    \"L\": \"\u003cLocality (city)\u003e\",\n    \"ST\": \"\u003cState/Province\u003e\"\n  }]\n}\n```\n\nReplace the placeholder values `\u003c\u003e` with your client certificate's subject values.\n\n### Enable mutual TLS for databases {#enable-mtls-dbs}\n\nBefore you can connect to a database using certificate-based authentication, you must enable mutual TLS (mTLS). See [Enable TLS]() for detailed instructions.\n\n### Create certificate auth_method users {#create-cert-users}\n\nWhen you [create new users](), include `\"auth_method\": \"certificate\"` and `certificate_subject_line` in the request body :\n\n```sh\nPOST /v1/users\n{\n  \"auth_method\": \"certificate\",\n  \"certificate_subject_line\": \"CN=\u003cCommon Name\u003e, OU=\u003cOrganization Unit\u003e, O=\u003cOrganization\u003e, L=\u003cLocality\u003e, ST=\u003cState/Province\u003e, C=\u003cCountry\u003e\"\n}\n```\n\nReplace the placeholder values `\u003c\u003e` with your client certificate's subject values.\n\n## Authenticate REST API requests\n\nTo use the REST API with certificate-based authentication, you must provide a client certificate, signed by the trusted CA `mtls_trusted_ca`, and a private key.\n\nThe following example uses [cURL](https://curl.se/) to send a [REST API request]():\n\n```sh\ncurl --request \u003cMETHOD\u003e --url https://\u003chostname-or-IP-address\u003e:9443/\u003cAPI-version\u003e/\u003cAPI-path\u003e --cert client.pem --key client.key\n```\n\n## Authenticate database connections\n\nTo connect to a database with certificate-based authentication, you must provide a client certificate, signed by the trusted CA `mtls_trusted_ca`, and a private key.\n\nThe following example shows how to connect to a Redis database with [`redis-cli`]():\n\n```sh\nredis-cli -h \u003chostname-or-IP-address\u003e -p \u003cport\u003e --tls --cacert \u003credis_cert\u003e.pem --cert redis_user.crt --key redis_user_private.key\n```\n\n## Limitations\n\n- Certificate-based authentication is not implemented for the Cluster Manager UI.\n",
  "tags": ["docs","operate","rs"],
  "last_updated": "2026-04-01T08:10:08-05:00"
}