memgraph · as51340 · Apr 3, 2026
@@ -3,6 +3,7 @@ title: SSL encryption
 description: Learn how to enable SSL encryption to secure data transmission and protect sensitive information. More security features are at your disposal in our documentation page.
 ---
 
+import { Callout } from "nextra/components";
 import { Tabs } from "nextra/components";
 import { Steps } from "nextra/components";
 
@@ -145,6 +146,42 @@ WebSocket over SSL is currently not supported in Memgraph.
 </Tabs.Tab>
 </Tabs>
 
+## Reload SSL certificates at runtime
+
+You can rotate SSL certificates without restarting Memgraph by using the
+`RELOAD BOLT_SERVER TLS` Cypher command. This is useful in production
+environments where certificate rotation is required (e.g., Let's Encrypt
+renewals or compliance requirements) and downtime is not acceptable.
+
+To reload SSL certificates:
+
+1. Replace the certificate and key files on disk (at the paths originally
+   configured with `--bolt-cert-file` and `--bolt-key-file`).
+2. Run the following command from any connected client:
+
+```cypher
+RELOAD BOLT_SERVER TLS;
+```
+
+After a successful reload:
+- **New connections** will use the updated certificate.
+- **Existing connections** continue using the previous certificate until they
+  disconnect.
+
+If the reload fails (e.g., due to an invalid certificate or missing file), the
+existing SSL configuration remains active and an error is returned. The server
+continues to operate normally.
+
+<Callout type="info">
+The `RELOAD BOLT_SERVER TLS` command cannot be executed inside an explicit
+(multi-command) transaction.
+</Callout>
+
+<Callout type="warning">
+Running `RELOAD BOLT_SERVER TLS` on a Memgraph instance that was started
+without SSL enabled will return an error.
+</Callout>
+
 ## How to set up SSL encryption
 
 Memgraph uses SSL (Secure Sockets Layer) protocol for establishing an