This is an automated cherry-pick of pingcap#22138

dveeden · ti-chi-bot · commit 4b99b89e3780 · 2025-12-09T09:04:54.000Z
Signed-off-by: ti-chi-bot &lt;ti-community-prow-bot@tidb.io&gt;
diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
@@ -242,6 +242,11 @@ After configuring TLS for communication between TiDB components, you can use the
 ## Reload certificates
 
 - If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.
+<<<<<<< HEAD
+=======
+
+- TiProxy reloads certificates from disk once an hour.
+>>>>>>> 9cff933fa3 (tiproxy: add note about reloading certificates once an hour (#22138))
 
 - If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, TiFlash, and TiCDC components can be automatically rotated without restarting the TiDB cluster.
 
diff --git a/tiproxy/tiproxy-configuration.md b/tiproxy/tiproxy-configuration.md
@@ -214,6 +214,10 @@ Starting from v1.3.1, TiProxy supports configuring multiple virtual IP addresses
 
 ### security
 
+> **Note:**
+>
+> TiProxy reloads certificates from disk once an hour. Therefore, any changes that you make to certificate files on disk can take up to one hour to take effect.
+
 There are four TLS objects in the `[security]` section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names.
 
 ```toml
