This topic describes how to enable Secure Socket Layer (SSL) encryption to enhance security during data transmission. It also describes how to change the version of Transport Layer Security (TLS) based on business requirements.

Prerequisites

Supported instance types:
  • Redis 2.8 standard master-replica instances
    Note You cannot change the TLS version for Redis 2.8 standard master-replica instances.
  • Redis 2.8 cluster instances
  • Redis 4.0 cluster instances
  • Redis 5.0 cluster instances
Note SSL encryption may increase the network latency of instances. We recommend that you enable this feature only when required.

Enable SSL encryption

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar, select the region where the target instance is located.
  3. On the Instances page, click the Instance ID of the target instance.
  4. In the left-side navigation pane, click SSL Settings.
  5. On the SSL Settings page, turn on SSL Certificate.
    Turn on SSL Certificate
    Note
    • After you enable SSL encryption, the port of ApsaraDB for Redis remains unchanged. You can establish encrypted SSL connections or connections that does not use SSL encryption.
    • If you enable SSL encryption, the default TLS version is TLSv1. To change the TLS version, perform the following steps.

Change the TLS version

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar, select the region where the target instance is located.
  3. On the Instances page, click the Instance ID of the target instance.
  4. In the left-side navigation pane, click SSL Settings.
  5. On the SSL Settings page, click Minimum TLS version and select a supported TLS version from the drop-down list.
    Note If the Minimum TLS version drop-down list is disabled, upgrade the minor version of the instance. For more information, see Upgrade the minor version.

Update the SSL certificate validity

You can update the validity period of your certificate in the ApsaraDB for Redis console. The validity period is extended for one year from the date of the update.

Warning If you update the validity period of an SSL certificate, the instance is restarted. During the restart process, the instance is disconnected for a few seconds. We recommend that you update the certificate during off-peak hours and make sure that your application supports automatic reconnection.
  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar, select the region where the target instance is located.
  3. On the Instances page, click the Instance ID of the target instance.
  4. In the left-side navigation pane, click SSL Settings.
  5. On the SSL Settings page, click Update Validity.
    Warning The next step shows how to confirm whether certificate is updated. This operation immediately restarts the ApsaraDB for Redis instance. We recommend that you perform this operation during off-peak hours.
  6. In the Update SSL Certificate Validity dialog box, click OK.

Download the CA certificate

  1. Log on to the ApsaraDB for Redis console.
  2. In the top navigation bar, select the region where the target instance is located.
  3. On the Instances page, click the Instance ID of the target instance.
  4. In the left-side navigation pane, click SSL Settings.
  5. On the SSL Settings page, click Download SSL Certificate.

FAQ

What can I do if the error message "version not supported" appears?

You can upgrade the minor version of the instance. For more information, see Upgrade the minor version.

Related operations

API Description
ModifyInstanceSSL Enables or disables the SSL encryption of an ApsaraDB for Redis instance.