pingcap · ti-chi-bot · Oct 11, 2025 · Sep 19, 2025 · Sep 24, 2025 · Oct 11, 2025
diff --git a/en/enable-tls-between-components.md b/en/enable-tls-between-components.md
@@ -1747,3 +1747,11 @@ This section describes how to enable TLS encrypted communication for an existing
 5. If you previously scaled down the PD nodes, scale them back up to the original number.
 
 6. Wait for all Pods in the TiDB cluster to restart.
+
+## Reload certificates
+
+If you used `cfssl` to generate the cert and key files manually, you'll need to update the `Secret` manually.
+
+If you used `cert-manager` to generate the cert and key files, it'll update the `Secret` automatically if any issuance happened.
+
+TiDB, PD, TiKV, TiFlash, TiCDC, TiProxy, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster. Once the `Secret` is updated, the certs and keys will be reloaded automatically.
diff --git a/zh/enable-tls-between-components.md b/zh/enable-tls-between-components.md
@@ -1733,3 +1733,11 @@ aliases: ['/docs-cn/tidb-in-kubernetes/dev/enable-tls-between-components/']
 5. 如果之前进行了 PD 节点缩容，请将其扩容为原有数量。
 
 6. 等待 TiDB 集群中的所有 Pod 完成重启。
+
+## 证书重新加载
+
+如果通过 `cfssl` 的方式创建证书，你将需要手动更新 `Secret`。
+
+如果通过 `cert-manager` 的方式创建证书，`cert-manager` 将在重新颁发证书的时候自动更新 `Secret`。
+
+TiDB、PD、TiKV、TiFlash、TiCDC 和各种 client 在每次新建相互通讯的连接时都会重新读取当前的证书和密钥文件内容，实现证书和密钥的重新加载，无需重启 TiDB 集群。所以在 `Secret` 更新后，证书将会自动更新。