All Products
Search

This Product

    Tair (Redis® OSS-Compatible):Configure SSL encryption

    Document Center

    Tair (Redis® OSS-Compatible):Configure SSL encryption

    Last Updated:Mar 28, 2026

    SSL encryption secures data in transit between clients and your ApsaraDB for Redis instance.

    Important

    Starting April 7, 2023, Tair (Redis OSS-compatible) upgraded SSL to Transport Layer Security (TLS). You cannot enable SSL encryption for your instance. If SSL is already enabled on your instance, you can continue using it or disable it. After you disable SSL, you cannot re-enable it. For details, see Notice on encryption upgrade from SSL to TLS.

    When to enable SSL

    SSL encryption may increase network latency. Enable it only when encryption is required — for example, when connecting to an instance over the Internet.

    Prerequisites

    Before you begin, ensure that you have:

    • An instance deployed in classic mode

    • An instance running Redis 4.0 or 5.0

    • An instance using the cluster architecture

    Enable, renew, or download the SSL certificate

    Warning

    The instance restarts after you enable SSL or update the certificate. A brief connection interruption of a few seconds may occur. Perform this operation during off-peak hours and make sure your application can automatically reconnect.

    1. Log in to the console and go to the Instances page. In the top navigation bar, select the region where the instance resides, then click the instance ID.

    2. In the left-side navigation pane, click TLS Settings (SSL).

    3. Perform the operation you need:

      OperationSteps
      Enable or disable SSLTurn SSL Certificate Information on or off.
      Renew the CA certificateClick Update Certificate in the upper-right corner, then click OK. The renewed certificate is valid for three years. Download and configure the new certificate file after renewal.
      Download the CA certificateClick Download SSL Certificate in the upper-right corner.

    After enabling SSL, both SSL and non-SSL connections are supported.

    CA certificate package contents

    The downloaded package contains three files:

    FileDescription
    ApsaraDB-CA-Chain.p7bImport the CA certificate into Windows
    ApsaraDB-CA-Chain.pemImport the CA certificate into Linux or other operating systems and applications
    ApsaraDB-CA-Chain.jksImport the CA certificate chain into Java applications (truststore format)

    FAQ

    Why does a "version not supported" error appear?

    Update your instance to the latest minor version. See Update the minor version of an instance.

    How long is an SSL certificate valid?

    An SSL certificate is valid for three years. Before it expires, click Update Certificate to renew it, then download and configure the new certificate file. If the certificate expires without renewal, clients cannot connect over an encrypted connection.

    What's next

    Connect your client to the SSL-enabled instance:

    API reference

    APIDescription
    ModifyInstanceSSLConfigure SSL encryption for an instance