Connecting to Redis over TLS from iPhone: A Complete Guide

June 30, 2026 · Vladimir Chemeris

Written and maintained by Vladimir Chemeris, the developer of CacheDeck.

Most Redis deployments that are reachable from the internet require TLS. Whether your server runs Redis 6+ TLS mode, Upstash, AWS ElastiCache, or Azure Cache for Redis, the connection must be encrypted. CacheDeck makes connecting to Redis over TLS from an iPhone straightforward, with full TLS 1.3 and mTLS support baked in, and certificates stored securely in the iOS Keychain.

This guide walks through every scenario: plain TLS, mutual TLS, custom CA certificates for self-signed setups, and the major cloud providers.

TLS vs mTLS for Redis: quick overview

TLS (Transport Layer Security, standardized as TLS 1.3 in RFC 8446) encrypts the data in transit between client and server. The client verifies the server’s identity using a certificate signed by a trusted CA. Redis 6+ introduced native TLS support; all major managed Redis providers (Upstash, ElastiCache, Azure Cache) enforce TLS-only connections.

mTLS (mutual TLS) goes further: the server also requires the client to present a certificate. This means both sides authenticate each other before any data is exchanged. mTLS is common in high-security environments and in managed services that offer certificate-based authentication rather than (or in addition to) password authentication.

The practical difference for mobile access:

TLS mTLS
Server authenticated Yes Yes
Client authenticated No Yes (client cert required)
Redis support Redis 6+ Redis 6+ with tls-auth-clients yes
Cloud providers All major providers Varies; some offer cert download

CacheDeck supports both. For most managed services, plain TLS is sufficient. For private clusters or high-compliance environments, mTLS is available.

Setting up TLS in CacheDeck

For the common case (connecting to a Redis server that uses a certificate from a public CA, like Let’s Encrypt, DigiCert, or a managed-service provider), TLS requires a single toggle.

  1. Open CacheDeck and tap + to create a new connection (or tap an existing connection to edit it).
  2. Enter your Redis host and port. TLS-enabled Redis servers typically use port 6380 on managed services or 6379 with TLS enabled on self-hosted deployments.
  3. In the Security section, toggle Use TLS on.
  4. Tap Connect. CacheDeck negotiates TLS 1.3 and verifies the server certificate against the iOS system trust store.

If your server uses a self-signed certificate or a private CA, the system trust store will not recognize it and the connection will fail. In that case, add your CA certificate:

  1. Export your CA certificate as a .pem or .crt file.
  2. Transfer it to your iPhone (AirDrop, Files app, or email).
  3. In CacheDeck, tap Add CA Certificate in the TLS section and select the file.
  4. CacheDeck stores it in the iOS Keychain and uses it to validate the server’s certificate on every connection.

Mutual TLS (mTLS): adding a client certificate

CacheDeck key browser after a successful TLS connection to Redis on iPhone
After connecting over TLS: key browser loads the full keyspace immediately

If your Redis server requires the client to authenticate with a certificate (tls-auth-clients yes in redis.conf, or a managed service that issues client certificates), you need to upload a client certificate and its corresponding private key.

Step 1: Obtain your client certificate and private key. Your server administrator, or the managed service dashboard, will provide:

  • client.crt: the client certificate (PEM format)
  • client.key: the private key (PEM format)

Some services bundle these as a .p12 / PKCS#12 file. CacheDeck accepts both formats.

Step 2: Transfer the files to your iPhone. Use AirDrop, the Files app with iCloud Drive, or a secure file-transfer method you trust. Never send private keys over unencrypted email.

Step 3: Add the client certificate in CacheDeck.

  1. Open the connection editor and enable Use TLS if not already on.
  2. Tap Add Client Certificate in the TLS section.
  3. Select your .crt (or .p12) file. If using separate files, also tap Add Private Key and select client.key.
  4. CacheDeck imports both into the iOS Keychain immediately. The original files can be deleted from Files.

Step 4: Connect. CacheDeck presents the client certificate during the TLS handshake. The server validates it against its configured CA and, if accepted, completes the connection.

Connecting to Upstash, ElastiCache, or Azure Cache over TLS

Upstash

Upstash Redis is TLS-only; unencrypted connections are rejected. The certificate is issued by a public CA, so no custom CA upload is needed.

  1. Copy your Upstash endpoint (e.g., us1-xxxx.upstash.io) and port (typically 6380).
  2. Enter them in CacheDeck, enable Use TLS, and enter your Upstash password in the Auth field.
  3. Connect. No additional certificate configuration required.

AWS ElastiCache (TLS enabled)

ElastiCache TLS uses an Amazon-issued certificate. The iOS trust store includes Amazon Root CA, so no custom CA upload is needed in most cases.

  1. Use the ElastiCache Primary Endpoint as the host and port 6380 (TLS port).
  2. Enable Use TLS in CacheDeck.
  3. If your cluster uses in-transit encryption with AUTH token, enter the token in the Auth field.
  4. Connect. If you see a certificate error, download the Amazon ElastiCache TLS CA bundle and upload it as a custom CA in CacheDeck.

Azure Cache for Redis

Azure Cache for Redis enforces TLS on port 6380 by default.

  1. Copy the Host name (e.g., myredis.redis.cache.windows.net) and use port 6380.
  2. Enable Use TLS in CacheDeck.
  3. Enter the Primary access key as the password in the Auth field.
  4. Connect. Azure’s certificate is issued by DigiCert, trusted by iOS out of the box.

How CacheDeck stores your certificates

When you add a CA certificate, client certificate, or private key in CacheDeck, each item is stored in the iOS Keychain, the same encrypted storage that holds Face ID data and saved passwords. Apple’s iOS Security Guide describes the Keychain as hardware-encrypted and tied to the device’s Secure Enclave.

This means:

  • Certificates and keys never leave your device to any cloud sync, backup service, or analytics endpoint.
  • CacheDeck has no analytics SDK and no cloud account. There is no server that receives your credentials.
  • The Keychain entry is scoped to CacheDeck and is not accessible to other apps.
  • If you delete CacheDeck, the Keychain entries are removed with it.

TLS in CacheDeck can also be combined with an SSH tunnel; these are independent features. A common pattern for private clusters is to tunnel over SSH to a bastion host and then use TLS for the Redis connection itself, giving you two separate layers of encryption.

CacheDeck requires iOS 17 or later and is a one-time $14.99 purchase with no subscription.


CacheDeck is the native iOS Redis client built for DevOps engineers and SREs: TLS 1.3, mTLS, SSH tunnels, and iOS Keychain certificate storage in a single $14.99 app.

Related: How to SSH into Redis from iPhone · Azure Cache for Redis on iPhone · AWS ElastiCache on iPhone · Upstash on iPhone · Redis client for iPhone: full feature overview