Redis and TLS

TLS with the Redis server

Redis can be configured to have a TLS port, which may or may not require client certificate authentication. If you wish to connect to that port, you will need to select the Use TLS with server option in the connection.

If your Redis server does not require client certificate authentication, you can connect Gallium Data to it without any further configuration if you select the Trust server certificate option.

If you wish to verify the server certificate, then you will need to install the server's CA certificate in the Crypto tab, under Trust. This will tell Gallium Data that certificates signed by this authority are acceptable.

If your Redis server requires client certificate authentication, you will need to also add the client key and its corresponding certificate in the Crypto tab, under Keys.

TLS with the Redis clients

If you wish to require the Redis clients to use TLS, you can select the Use TLS with clients option in the connection. If that option is selected (and published), any clients trying to connect without TLS will be rejected. Selecting that option requires the installation of the

If, in addition, you want to require the clients to authenticate with a certificate, you can select the Require TLS client authentication option. If you do so, you will have to install a private key and certificate in the Keys section of the Crypto tab.

TLS details

The client side and the server side can be configured differently and can therefore act as a bridge. For instance, you can configure the server side to use TLS, and the client to not use TLS, thereby allowing clients to connect without encryption, even though the Redis server requires TLS.


It's easy to get confused between all the keys and certificates, so here's a complete configuration that is known to work.

If you follow the instructions in the Redis documentation to create a full set of keys and certificates, you will end up with a number of files, including specifically:

  • ca.crt: the CA certificate

  • redis.key: the private key

  • redis.crt: the certificate for the private key

If you don't use self-signed certificates, you will need to use the CA certificate for the authority that signed your certificate instead of ca.crt.

Which files to install in the Crypto tab?

For the server side:

  • If you select the Use TLS with server option and the Trust server certificate option, and your Redis server does not require client certificate authentication, then you don't need to install any keys or certificates

  • If you select the Use TLS with server option and your Redis server does require client certificate authentication, then you need to install the private key (redis.key) and the corresponding certificate (redis.crt) in the Crypto tab under Keys

  • If you select the Use TLS with server option but not the Trust server certificate option, you need to install the CA certificate (ca.crt) in the Crypto tab, under Trust

For the client side:

  • If you select the Use TLS with clients option, you need to install the private key (redis.key) and the corresponding certificate (redis.crt) in the Crypto tab under Keys

  • If you also select the Require TLS client authentication option, you need to install the CA certificate for the client's certificate in the Crypto tab, under Trust