diff --git a/pkg/manager/member/tiproxy_member_manager.go b/pkg/manager/member/tiproxy_member_manager.go
index 48dfedd52e..4605fa61c7 100644
--- a/pkg/manager/member/tiproxy_member_manager.go
+++ b/pkg/manager/member/tiproxy_member_manager.go
@@ -42,6 +42,7 @@ import (
 const tiproxyVolumeMountPath = "/var/lib/tiproxy"
 const tiproxySQLPath = "/var/lib/tiproxy-sql-tls"
 const tiproxyServerPath = "/var/lib/tiproxy-server-tls"
+const tiproxyHTTPServerPath = "/var/lib/tiproxy-http-server-tls"
 
 func labelTiProxy(tc *v1alpha1.TidbCluster) label.Label {
 	instanceName := tc.GetInstanceName()
@@ -155,9 +156,13 @@ func (m *tiproxyMemberManager) syncConfigMap(tc *v1alpha1.TidbCluster, set *apps
 	// TODO: this should only be set on `tlsCluster`. `tlsTiDB` check is for backward compatibility.
 	// and it should be removed in the future.
 	if tlsCluster || tlsTiDB {
-		cfgWrapper.Set("security.server-http-tls.ca", path.Join(tiproxyServerPath, "ca.crt"))
-		cfgWrapper.Set("security.server-http-tls.key", path.Join(tiproxyServerPath, "tls.key"))
-		cfgWrapper.Set("security.server-http-tls.cert", path.Join(tiproxyServerPath, "tls.crt"))
+		p := tiproxyHTTPServerPath
+		if tlsTiDB {
+			p = tiproxyServerPath
+		}
+		cfgWrapper.Set("security.server-http-tls.ca", path.Join(p, "ca.crt"))
+		cfgWrapper.Set("security.server-http-tls.key", path.Join(p, "tls.key"))
+		cfgWrapper.Set("security.server-http-tls.cert", path.Join(p, "tls.crt"))
 		cfgWrapper.Set("security.server-http-tls.skip-ca", true)
 	}
 
@@ -431,6 +436,8 @@ func (m *tiproxyMemberManager) getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *c
 			Name:      util.ClusterClientVolName,
 			ReadOnly:  true,
 			MountPath: util.ClusterClientTLSPath,
+		}, corev1.VolumeMount{
+			Name: "tiproxy-tls", ReadOnly: true, MountPath: tiproxyHTTPServerPath,
 		})
 
 		vols = append(vols, corev1.Volume{
@@ -439,6 +446,12 @@ func (m *tiproxyMemberManager) getNewStatefulSet(tc *v1alpha1.TidbCluster, cm *c
 					SecretName: util.ClusterClientTLSSecretName(tc.Name),
 				},
 			},
+		}, corev1.Volume{
+			Name: "tiproxy-tls", VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: util.ClusterTLSSecretName(tc.Name, label.TiProxyLabelVal),
+				},
+			},
 		})
 	}
 	if tc.Spec.TiDB != nil && tc.Spec.TiDB.IsTLSClientEnabled() {