content/operate/rs/security/certificates/_index.md
Redis Software uses self-signed certificates by default to ensure that the product is secure. These certificates are autogenerated on the first node of each Redis Software installation and are copied to all other nodes added to the cluster.
You can replace a self-signed certificate with one signed by a certificate authority of your choice.
Here's the list of supported certificates that create secure, encrypted connections to your Redis Software cluster:
| Certificate name | Autogenerated | Description |
|---|---|---|
api | <span title="Yes">✅</span> | Encrypts [REST API]({{< relref "/operate/rs/references/rest-api/" >}}) requests and responses. |
ccs_internode_encryption | <span title="Yes">✅</span> | Control plane [internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}). Encrypts internal traffic for cluster management. |
cm | <span title="Yes">✅</span> | Secures connections to the Redis Software Cluster Manager UI. |
data_internode_encryption | <span title="Yes">✅</span> | Data plane [internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}). Encrypts internal data traffic between shards and the data management controller (DMC). |
ldap_client | <span title="No">:x:</span> | Secures connections between LDAP clients and LDAP servers. |
metrics_exporter | <span title="Yes">✅</span> | Sends Redis Software metrics to external [monitoring tools]({{< relref "/operate/rs/monitoring/" >}}) over a secure connection. |
mtls_trusted_ca | <span title="No">:x:</span> | Required to enable certificate-based authentication for secure, passwordless access to the REST API. |
proxy | <span title="Yes">✅</span> | Creates secure, encrypted connections between clients and databases. |
sso_issuer | <span title="No">:x:</span> | Identity provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). |
sso_service | <span title="No">:x:</span> | Service provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). |
syncer | <span title="Yes">✅</span> | For [Active-Active]({{< relref "/operate/rs/databases/active-active/" >}}) or [Replica Of]({{< relref "/operate/rs/databases/import-export/replica-of/" >}}) databases, encrypts data during the synchronization of participating clusters. |
Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own ldap_client certificate to enable [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}), an mtls_trusted_ca certificate to enable certificate-based authentication, or sso_issuer and sso_service certificates for [single sign-on (SSO)]({{<relref "/operate/rs/security/access-control/saml-sso">}}).
When you use the default self-signed certificates and you connect to the Cluster Manager UI over a web browser, you'll see an untrusted connection notification. Depending on your browser, you can allow the connection for each session or add an exception to trust the certificate for all future sessions.