RS: Customer-managed certificates for internode encryption

assets/css/index.css

@@ -579,6 +579,11 @@ html {
   scrollbar-gutter: stable;
 }
 
+/* Auto-clickable for standalone images */
+img:not(a img):not(.image-card-img):not([src*="#no-click"]) {
+  cursor: pointer;
+}
+
 /* Chroma syntax highlighting */
 
 /* Background */

content/operate/rs/security/certificates/_index.md

@@ -22,7 +22,9 @@ Here's the list of supported certificates that create secure, encrypted connecti
 | Certificate name | Autogenerated | Description |
 |------------------|:---------------:|-------------|
 | `api` | <span title="Yes">&#x2705;</span> | Encrypts [REST API]({{< relref "/operate/rs/references/rest-api/" >}}) requests and responses. |
+| `ccs_internode_encryption` | <span title="Yes">&#x2705;</span> | Control plane [internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}). Encrypts internal traffic for cluster management. |
 | `cm` | <span title="Yes">&#x2705;</span> | Secures connections to the Redis Enterprise Cluster Manager UI. |
+| `data_internode_encryption` | <span title="Yes">&#x2705;</span> | Data plane [internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}). Encrypts internal data traffic between shards and the data management controller (DMC). |
 | `ldap_client` | <span title="No">:x:</span> | Secures connections between LDAP clients and LDAP servers. |
 | `metrics_exporter` | <span title="Yes">&#x2705;</span> | Sends Redis Enterprise metrics to external [monitoring tools]({{< relref "/operate/rs/monitoring/" >}}) over a secure connection. |
 | `mtls_trusted_ca` | <span title="No">:x:</span>  | Required to enable certificate-based authentication for secure, passwordless access to the REST API. |

content/operate/rs/security/certificates/updating-certificates.md

@@ -16,7 +16,7 @@ When you update the certificates, the new certificate replaces the same certific
 
 ## How to update certificates
 
-You can use the [`rladmin`]({{< relref "/operate/rs/references/cli-utilities/rladmin" >}}) command-line interface (CLI) or the [REST API]({{< relref "/operate/rs/references/rest-api" >}}) to update certificates. The Cluster Manager UI lets you update proxy and syncer certificates on the **Cluster > Security > Certificates** screen.
+You can use the [`rladmin`]({{< relref "/operate/rs/references/cli-utilities/rladmin" >}}) command-line interface (CLI) or the [REST API]({{< relref "/operate/rs/references/rest-api" >}}) to update certificates. The Cluster Manager UI lets you update proxy, syncer, and internode encryption certificates on the **Cluster > Security > Certificates** screen.
 
 The new certificates are used the next time the clients connect to the database.
 
@@ -33,6 +33,7 @@ To replace proxy or syncer certificates using the Cluster Manager UI:
 1. Go to **Cluster > Security > Certificates**.
 
 1. Expand the section for the certificate you want to update:
+    - For internode encryption certificates, expand **Internode encryption certificates**.
     - For the proxy certificate, expand **Server authentication**.
     - For the syncer certificate, expand **Replica Of and Active-Active authentication**.
 

content/operate/rs/security/encryption/internode-encryption.md

@@ -87,7 +87,11 @@ To enable internode encryption for new databases by default, use one of the foll
     { "data_internode_encryption": true }
     ```
 
-## Encryption ciphers and settings
+## Self-signed certificates
+
+By default, Redis Enterprise Software uses self-signed certificates for internode encryption. These certificates are automatically generated, managed, and rotated by the system.
+
+### Encryption ciphers and settings
 
 To encrypt internode communications, Redis Enterprise Software uses TLS 1.2 and the following cipher suites:
 
@@ -103,7 +107,7 @@ The TLS layer determines which TLS version to use.
 
 No configurable settings are exposed; internode encryption is used internally within a cluster and not exposed to any outside service.
 
-## Certificate authority and rotation
+### Certificate authority and rotation
 
 Starting with v6.2.4, internode communication is managed, in part, by two certificates: one for the control plane and one for the data plane.  These certificates are signed by a private certificate authority (CA).  The CA is not exposed outside of the cluster, so it cannot be accessed by external processes or services.  In addition, each cluster generates a unique CA that is not used anywhere else.
 
@@ -118,3 +122,90 @@ You can use the Redis Enterprise Software REST API to rotate certificates manual
 ``` rest
 POST /v1/cluster/certificates/rotate
 ```
+
+## Customer-provided certificates
+
+Instead of using Redis Enterprise Software's self-signed certificates for internode encryption, you can provide certificates generated by your Certificate Authority (CA).
+
+### Certificate requirements
+
+Customer-provided internode encryption certificates must meet the following requirements:
+
+- Certificates must be in PEM format.
+
+- Certificates must contain the certificate chain and the leaf certificate.
+
+### Upload customer-provided certificates
+
+You can upload either:
+
+- One certificate for both data plane internode encryption (DPINE) and control plane internode encryption (CPINE).
+
+- Two separate certificates: one for DPINE and one for CPINE.
+
+To upload internode encryption certificates, use one of the following methods:
+
+{{< multitabs id="get-module-versions" 
+tab1="Cluster Manager UI"
+tab2="rladmin"
+tab3="REST API" >}}
+
+1. In the Cluster Manager UI, go to **Cluster > Security > Certificates**.
+
+1. Expand the **Internode encryption certificates** section.
+
+1. Click **Replace certificates**.
+
+1. In the **Internode encryption certificates** panel, select one of the following options:
+
+    - Use the same certificate for data and control plane internode encryption
+
+    - Use separate certificates for data and control plane internode encryption
+
+1. For each certificate and key, click **Upload** and use the file browser to select the relevant PEM file.
+
+1. Click **Save & Rotate**.
+
+-tab-sep-
+
+<!-- TODO: these are placeholder examples, need to confirm real commands-->
+
+Run [`rladmin cluster certificate`]({{< relref "/operate/rs/references/cli-utilities/rladmin/cluster/certificate" >}}).
+
+To upload a single certificate for both CPINE and DPINE:
+
+```sh
+rladmin cluster certificate set cpine_dpine certificate_file <cert1>.pem key_file <key1>.pem
+```
+
+To upload 2 different certificate and key pairs for CPINE and DPINE:
+
+```sh
+rladmin cluster certificate set cpine certificate_file <cert1>.pem key_file <key1>.pem dpine certificate_file <cert2>.pem key_file <key2>.pem
+```
+
+-tab-sep-
+
+<!-- TODO: these are placeholder examples, need to confirm real API-->
+
+Send a [`PUT /v1/certificates`]({{< relref "/operate/rs/references/rest-api/requests/certificates#put-certificates" >}}) request:
+
+```sh
+PUT https://<host>:<port>/v1/certificates
+```
+
+{{< /multitabs >}}
+
+
+### Certificate expiration and rotation
+
+Customer-provided internode encryption certificates are not rotated automatically. To prevent possible issues with cluster and database unavailability caused by expired internode encryption certificates:
+
+- You should monitor the certificates' expiration dates and renew them before they expire.
+
+- In case you do not renew the customer-managed certificates before they expire, Redis Enterprise Software automatically replaces them with self-signed certificates 5 days before expiration. You can upload new customer-provided certificates to replace these certificates anytime.
+
+### Performance recommendations
+
+For optimal performance with customer-provided certificates, follow the same recommendations as for self-signed certificates detailed in the [Encryption ciphers and settings](#encryption-ciphers-and-settings) section.
+

static/js/index.js

@@ -184,4 +184,17 @@ const mobileMenu = (() => {
   document.addEventListener('click', clickHandler, false)
   document.addEventListener('keydown', keyHandler, false)
 
-})()
+})()
+
+// Simple click-to-open for standalone images
+document.addEventListener('click', function(e) {
+  // Check if clicked element is a standalone img (not inside an anchor, not image-card, not no-click)
+  if (e.target.tagName === 'IMG' &&
+      !e.target.closest('a') &&
+      !e.target.classList.contains('image-card-img') &&
+      !e.target.src.includes('#no-click')) {
+
+    // Open image in same tab, just like clicking a regular link
+    window.location.href = e.target.src
+  }
+})