From befd7e858850d139289b7f635d7eb95a141aa3c6 Mon Sep 17 00:00:00 2001
From: Michael Katzenellenbogen <michael@kazenonline.com>
Date: Tue, 19 Aug 2025 18:15:35 -0400
Subject: [PATCH] brief documentation on TLS cert and key reloading

---
 docs/docs/configuration/tls.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/docs/configuration/tls.md b/docs/docs/configuration/tls.md
index 68344b22..cea5e1fe 100644
--- a/docs/docs/configuration/tls.md
+++ b/docs/docs/configuration/tls.md
@@ -36,6 +36,9 @@ There are two recommended configurations:
     If not specified, the defaults from [`crypto/tls`](https://pkg.go.dev/crypto/tls#CipherSuites) of the currently used `go` version for building `oauth2-proxy` will be used.
     A complete list of valid TLS cipher suite names can be found in [`crypto/tls`](https://pkg.go.dev/crypto/tls#pkg-constants).
 
+3.  The TLS server certificate and key can be reloaded without restarting `oauth2-proxy` by sending a `SIGHUP` to a running `oauth2-proxy` process.
+    If the `oauth2-proxy` server encounters a failure while reloading the certificate or key, the existing certificate and key will remain unchanged and an error will be logged.  
+
 ### Terminate TLS at Reverse Proxy, e.g. Nginx
 
 1.  Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ...