# Redis TLS Certificate Verification

Transport Layer Security (TLS) is required for all connections to the Redis server. You must verify the server's certificate to establish a secure TLS connection. If certificate verification fails with the error `redis-cli certificate` verify failed, you can perform one of the following options:

<details>

<summary><strong>Option 1: Trust the Certificate Globally</strong></summary>

Add the Redis server’s CA certificate to the system trust store.

</details>

<details>

<summary><strong>Option 2: Provide the CA Certificate Directly to the Client</strong></summary>

Use the `--cacert` option with `redis-cli`, specifying the path to the CA certificate that signed the Redis server’s certificate.

{% hint style="info" %}
**Note:**

* If your system trust store is up-to-date, `--cacert` is usually not required.
* If you need the CA certificate, download it from [<mark style="color:blue;">Let's Encrypt</mark>](https://letsencrypt.org/certificates/) certificates.
  {% endhint %}

</details>

<details>

<summary><strong>Option 3: Skip Certificate Verification</strong></summary>

Use the `--insecure` option to bypass the certificate checks.

{% hint style="warning" %}
**Warning:** You may skip verification of certificates for troubleshooting purposes only. It is not recommended for production environments.
{% endhint %}

</details>

## Additional checks

* Ensure the certificate’s Common Name (CN) or Subject Alternative Name (SAN) matches the hostname you use to connect.
* Keep your system trust store current to avoid outdated CA issues.