Rotating Redis TLS Certificates Without Downtime

Question

I am using Redis with TLS enabled, configured through the tls-cert-file, tls-key-file, and tls-ca-cert-file settings. I understand that to rotate these certificates, I need to update the certificate and key files. However, during this process, the client's connection needs to be re-established using the new CA certificate, which could potentially result in downtime.

I am seeking advice on how to rotate Redis TLS certificates without causing any downtime. What are the best practices or strategies for ensuring a smooth certificate rotation process while maintaining continuous service availability?

Similar to memorystore of GCP, maybe there be a way to have multiple server certificates at the same time. If so, it's possible to first update the client's connection and after that, retired the old TLS configuration.

Answer 1

From the redis-cli, redis servers (not sentinels) can use

CONFIG SET  xxx
CONFIG SET tls-cert-key yyy

Once the commands are executed, the server now works with newly provided certs.

---

Config docs: https://redis.io/docs/management/config-file/

# Configure a X.509 certificate and private key to use for authenticating the
# server to connected clients, masters or cluster peers.  These files should be
# PEM formatted.
#
# tls-cert-file redis.crt
# tls-key-file redis.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-key-file-pass secret

# Normally Redis uses the same certificate for both server functions (accepting
# connections) and client functions (replicating from a master, establishing
# cluster bus connections, etc.).
#
# Sometimes certificates are issued with attributes that designate them as
# client-only or server-only certificates. In that case it may be desired to use
# different certificates for incoming (server) and outgoing (client)
# connections. To do that, use the following directives:
#
# tls-client-cert-file client.crt
# tls-client-key-file client.key
#
# If the key file is encrypted using a passphrase, it can be included here
# as well.
#
# tls-client-key-file-pass secret

# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange,
# required by older versions of OpenSSL (<3.0). Newer versions do not require
# this configuration and recommend against it.
#
# tls-dh-params-file redis.dh

# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
# clients and peers.  Redis requires an explicit configuration of at least one
# of these, and will not implicitly use the system wide configuration.
#
# tls-ca-cert-file ca.crt
# tls-ca-cert-dir /etc/ssl/certs