{
  "id": "enable-tls",
  "title": "Enable TLS",
  "url": "https://redis.io/docs/latest/operate/rs/7.8/security/encryption/tls/enable-tls/",
  "summary": "Shows how to enable TLS.",
  "content": "\nYou can use TLS authentication for one or more of the following types of communication:\n\n- Communication from clients (applications) to your database\n- Communication from your database to other clusters for replication using [Replica Of]()\n- Communication to and from your database to other clusters for synchronization using [Active-Active]()\n\n\nWhen you enable or turn off TLS, the change applies to new connections but does not affect existing connections. You must update TLS parameters in the client's connection configuration, then clients must close existing connections and reconnect to apply the change.\n\n\n## Enable TLS for client connections {#client}\n\nTo enable TLS for client connections:\n\n1. From your database's **Security** tab, select **Edit**.\n\n1. Expand the **TLS - Transport Layer Security for secure connections** section, then select **On**.\n\n1. In the **Apply TLS for** section, select **Clients and databases + Between databases**.\n\n1. Select **Save**.\n\n### Enable mutual TLS\n\nOptionally, you can enable mutual TLS for client connections:\n\n1. Select **Mutual TLS (Client authentication)**.\n\n    \n\n1. For each client certificate, select **+ Add certificate**, paste or upload the client certificate, then select **Done**.\n\n    If your database uses Replica Of, you also need to add the syncer certificates for the participating clusters. See [Enable TLS for Replica Of cluster connections](#enable-tls-for-replica-of-cluster-connections) for instructions.\n\n1. You can configure **Additional certificate validations** to further limit connections to clients with valid certificates.\n\n    Additional certificate validations occur only when loading a [certificate chain](https://en.wikipedia.org/wiki/Chain_of_trust#Computer_security) that includes the [root certificate](https://en.wikipedia.org/wiki/Root_certificate) and intermediate [CA](https://en.wikipedia.org/wiki/Certificate_authority) certificate but does not include a leaf (end-entity) certificate. If you include a leaf certificate, mutual client authentication skips any additional certificate validations.\n\n    1. Select a certificate validation option.\n\n        | Validation option | Description |\n        |-------------------|-------------|\n        | _No validation_ | Authenticates clients with valid certificates. No additional validations are enforced. |\n        | _By Subject Alternative Name_ | A client certificate is valid only if its Subject Alternative Name (SAN) DNS entries or Common Name (CN) match an entry in the list of valid subjects. Ignores other [`Subject`](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) attributes. |\n        | _By full Subject Name_ | A client certificate is valid only if its [`Subject`](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) attributes match an entry in the list of valid subjects. |\n\n    1. If you selected **No validation**, you can skip this step. Otherwise, select **+ Add validation** to create a new entry and then enter valid [`Subject`](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) attributes for your client certificates. All `Subject` attributes are case-sensitive.\n\n        | Subject attribute\u003cbr /\u003e(case-sensitive) | Description |\n        |-------------------|-------------|\n        | _Common Name (CN)_ | Name of the client authenticated by the certificate (_required_) |\n        | _Organization (O)_ | The client's organization or company name |\n        | \u003cnobr\u003e_Organizational Unit (OU)_\u003c/nobr\u003e | Name of the unit or department within the organization |\n        | _Locality (L)_ | The organization's city |\n        | _State / Province (ST)_ | The organization's state or province |\n        | _Country (C)_ | 2-letter code that represents the organization's country |\n\n        You can only enter a single value for each field, except for the _Organizational Unit (OU)_ field. If your client certificate has a `Subject` with multiple  _Organizational Unit (OU)_ values, press the `Enter` or `Return` key after entering each value to add multiple Organizational Units.\n\n        \n\n        **Breaking change:** If you use the [REST API]() instead of the Cluster Manager UI to configure additional certificate validations, note that `authorized_names` is deprecated as of Redis Enterprise v6.4.2. Use `authorized_subjects` instead. See the [BDB object reference]() for more details.\n\n1. Select **Save**.\n\n### Validate client certificate expiration\n\nBy default, Redis Enterprise Software validates client certificate expiration dates.  You can use [`rladmin tune db`]() to turn off this behavior.\n\n```sh\nrladmin tune db \u003c db:id | name \u003e mtls_allow_outdated_certs { enabled | disabled }\n```\n\n### Connect over TLS\n\nTo connect to a Redis Enterprise Software database over TLS using [`redis-cli`]():\n\n1. Download or copy the server (or proxy) certificate from the Cluster Manager UI (**Cluster \u003e Security \u003e Certificates \u003e Server authentication**) or from a cluster node (`/etc/opt/redislabs/proxy_cert.pem`).\n\n1. Copy the certificate to each client machine.\n\n1. If your database doesn't require client authentication with mutual TLS, provide the server certificate when you connect:\n\n    ```sh\n    redis-cli -h \u003cendpoint\u003e -p \u003cport\u003e --tls --cacert proxy_cert.pem\n    ```\n\n1. If your database requires client authentication with mutual TLS, provide your client's private and public keys along with the Redis Enterprise Software server certificate when you connect:\n\n    ```sh\n    redis-cli -h \u003cendpoint\u003e -p \u003cport\u003e --tls --cacert proxy_cert.pem \\\n        --cert redis_user.crt --key redis_user_private.key\n    ```\n\n## Enable TLS for Active-Active cluster connections\n\nYou can enable TLS for Active-Active cluster connections when you create a database using the Cluster Manager UI, [`crdb-cli`](), or the [REST API]().\n\nIf you need to enable or turn off TLS after the Active-Active database is created, you must use [`crdb-cli`]() or the [REST API]().\n\n### Enable TLS during database creation\n\nTo enable TLS for Active-Active cluster connections using the Cluster Manager UI:\n\n1. During [database creation](), expand the **TLS** configuration section.\n\n1. Select **On** to enable TLS.\n\n    \n\n1. Click **Create**.\n\nIf you also want to require TLS for client connections, you must edit the Active-Active database configuration after creation. See [Enable TLS for client connections](#client) for instructions.\n\n### Enable TLS after database creation\n\nYou can enable TLS for an existing Active-Active database using either `crdb-cli` or the REST API.\n\n**CLI:**\n\nRun the following [`crdb-cli crdb update`]() command:\n\n```sh\ncrdb-cli crdb update --crdb-guid \u003cguid\u003e --encryption true\n```\n\nReplace `\u003cguid\u003e` with your Active-Active database's globally unique identifier.\n\n**REST API:**\n\nYou can use an [update database configuration]() request to enable TLS.\n\nTo enable TLS for Active-Active database communications only:\n\n```sh\nPUT https://\u003chost\u003e:9443/v1/bdbs/\u003cdatabase-id\u003e\n{\n  \"enforce_client_authentication\": \"disabled\",\n  \"tls_mode\": \"replica_ssl\"\n}\n```\n\nTo enable TLS for all communications:\n\n```sh\nPUT https://\u003chost\u003e:9443/v1/bdbs/\u003cdatabase-id\u003e\n{\n  \"enforce_client_authentication\": \"disabled\",\n  \"tls_mode\": \"enabled\"\n}\n```\n\n\n\n## Enable TLS for Replica Of cluster connections\n\n\n",
  "tags": ["docs","operate","rs"],
  "last_updated": "2026-04-01T08:10:08-05:00"
}