Skip to main content
Version: 32.0.0

Redis TLS/SSL Configuration

Certificate Rotation

If you create a service instance with an SSL plan, the instance will generate a self-signed certificate for it. To implement a signed CA, please follow this guide: Common TLS Configuration.

If you have running instances with a self-signed certificate and change the SPI to use a signed CA, you might want to update the old ones.

While creating or updating a service instance, the CertGenerator checks, if the certificates are valid or not.

If they are valid, the (re)generation will be skipped and it will still use the existing one.

30 days before the certificate gets invalid, it can be rotated by updating the service instance.

To bypass the 30 days restriction and force the instance to update the certificate, you can use the user parameter force_certificate_rotation to force the re(generation) while using update-service.

For example:

cf update-service my-redis -c '{"force_certificate_rotation": true}'