diff --git a/pkg/meta/redis.go b/pkg/meta/redis.go
index 9a801271e5c29..7cb24780f1d68 100644
--- a/pkg/meta/redis.go
+++ b/pkg/meta/redis.go
@@ -22,6 +22,7 @@ package meta
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"encoding/binary"
 	"encoding/json"
 	"fmt"
@@ -110,6 +111,8 @@ func newRedisMeta(driver, addr string, conf *Config) (Meta, error) {
 	writeTimeout := query.duration("write-timeout", "write_timeout", time.Second*5)
 	routeRead := query.pop("route-read")
 	skipVerify := query.pop("insecure-skip-verify")
+	certFile := query.pop("tls-cert-file")
+	keyFile := query.pop("tls-key-file")
 	u.RawQuery = values.Encode()
 
 	hosts := u.Host
@@ -120,6 +123,13 @@ func newRedisMeta(driver, addr string, conf *Config) (Meta, error) {
 	if opt.TLSConfig != nil {
 		opt.TLSConfig.ServerName = "" // use the host of each connection as ServerName
 		opt.TLSConfig.InsecureSkipVerify = skipVerify != ""
+		if certFile != "" {
+			cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+			if err != nil {
+				return nil, fmt.Errorf("get certificate error certFile:%s keyFile:%s error:%s", certFile, keyFile, err)
+			}
+			opt.TLSConfig.Certificates = []tls.Certificate{cert}
+		}
 	}
 	if opt.Password == "" {
 		opt.Password = os.Getenv("REDIS_PASSWORD")