diff --git a/cmd/backup-manager/app/backup/backup.go b/cmd/backup-manager/app/backup/backup.go
index 5e9ab4210d1..2becef8bf6d 100644
--- a/cmd/backup-manager/app/backup/backup.go
+++ b/cmd/backup-manager/app/backup/backup.go
@@ -23,15 +23,16 @@ import (
 	"github.com/gogo/protobuf/proto"
 	kvbackup "github.com/pingcap/kvproto/pkg/backup"
 	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
+	backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog"
 )
 
 // Options contains the input arguments to the backup command
 type Options struct {
-	util.GenericOptions
+	backupUtil.GenericOptions
 }
 
 func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
@@ -44,10 +45,10 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 		return "", err
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", backup.Spec.BR.Cluster, clusterNamespace))
-	if backup.Spec.BR.EnableTLSClient {
-		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var btype string
@@ -73,7 +74,7 @@ func (bo *Options) backupData(backup *v1alpha1.Backup) (string, error) {
 // getCommitTs get backup position from `EndVersion` in BR backup meta
 func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {
 	var commitTs uint64
-	s, err := util.NewRemoteStorage(backup)
+	s, err := backupUtil.NewRemoteStorage(backup)
 	if err != nil {
 		return commitTs, err
 	}
@@ -101,7 +102,7 @@ func getCommitTs(backup *v1alpha1.Backup) (uint64, error) {
 
 // constructOptions constructs options for BR and also return the remote path
 func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
-	args, remotePath, err := util.ConstructBRGlobalOptionsForBackup(backup)
+	args, remotePath, err := backupUtil.ConstructBRGlobalOptionsForBackup(backup)
 	if err != nil {
 		return args, remotePath, err
 	}
@@ -124,7 +125,7 @@ func constructOptions(backup *v1alpha1.Backup) ([]string, string, error) {
 // getBackupSize get the backup data size from remote
 func getBackupSize(backup *v1alpha1.Backup) (int64, error) {
 	var size int64
-	s, err := util.NewRemoteStorage(backup)
+	s, err := backupUtil.NewRemoteStorage(backup)
 	if err != nil {
 		return size, err
 	}
diff --git a/cmd/backup-manager/app/restore/restore.go b/cmd/backup-manager/app/restore/restore.go
index 90d0667ee09..d2e5a643d87 100644
--- a/cmd/backup-manager/app/restore/restore.go
+++ b/cmd/backup-manager/app/restore/restore.go
@@ -18,15 +18,15 @@ import (
 	"os/exec"
 	"path"
 
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/constants"
-	"github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
+	backupUtil "github.com/pingcap/tidb-operator/cmd/backup-manager/app/util"
 	"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/klog"
 )
 
 type Options struct {
-	util.GenericOptions
+	backupUtil.GenericOptions
 }
 
 func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
@@ -39,10 +39,10 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 		return err
 	}
 	args = append(args, fmt.Sprintf("--pd=%s-pd.%s:2379", restore.Spec.BR.Cluster, clusterNamespace))
-	if restore.Spec.BR.EnableTLSClient {
-		args = append(args, fmt.Sprintf("--ca=%s", constants.ServiceAccountCAPath))
-		args = append(args, fmt.Sprintf("--cert=%s", path.Join(constants.BRCertPath, corev1.TLSCertKey)))
-		args = append(args, fmt.Sprintf("--key=%s", path.Join(constants.BRCertPath, corev1.TLSPrivateKeyKey)))
+	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
+		args = append(args, fmt.Sprintf("--ca=%s", path.Join(util.ClusterClientTLSPath, corev1.ServiceAccountRootCAKey)))
+		args = append(args, fmt.Sprintf("--cert=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSCertKey)))
+		args = append(args, fmt.Sprintf("--key=%s", path.Join(util.ClusterClientTLSPath, corev1.TLSPrivateKeyKey)))
 	}
 
 	var restoreType string
@@ -66,7 +66,7 @@ func (ro *Options) restoreData(restore *v1alpha1.Restore) error {
 }
 
 func constructBROptions(restore *v1alpha1.Restore) ([]string, error) {
-	args, err := util.ConstructBRGlobalOptionsForRestore(restore)
+	args, err := backupUtil.ConstructBRGlobalOptionsForRestore(restore)
 	if err != nil {
 		return nil, err
 	}
diff --git a/docs/api-references/docs.html b/docs/api-references/docs.html
index 41c5be1b109..286be033d2c 100644
--- a/docs/api-references/docs.html
+++ b/docs/api-references/docs.html
@@ -1546,13 +1546,17 @@ <h3 id="pingcap.com/v1alpha1.BRConfig">BRConfig
 <tbody>
 <tr>
 <td>
-<code>enableTLSClient</code></br>
+<code>tlsCluster</code></br>
 <em>
-bool
+<a href="#pingcap.com/v1alpha1.TLSCluster">
+TLSCluster
+</a>
 </em>
 </td>
 <td>
-<p>Whether enable TLS in TiDBCluster</p>
+<em>(Optional)</em>
+<p>Whether enable the TLS connection between TiDB server components
+Optional: Defaults to nil</p>
 </td>
 </tr>
 <tr>
@@ -6652,6 +6656,7 @@ <h3 id="pingcap.com/v1alpha1.TLSCluster">TLSCluster
 </h3>
 <p>
 (<em>Appears on:</em>
+<a href="#pingcap.com/v1alpha1.BRConfig">BRConfig</a>, 
 <a href="#pingcap.com/v1alpha1.TidbClusterSpec">TidbClusterSpec</a>)
 </p>
 <p>
diff --git a/manifests/crd.yaml b/manifests/crd.yaml
index d69a3a1d498..0caffeaec26 100644
--- a/manifests/crd.yaml
+++ b/manifests/crd.yaml
@@ -6766,9 +6766,6 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                enableTLSClient:
-                  description: Whether enable TLS in TiDBCluster
-                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
@@ -6796,6 +6793,7 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
+                tlsCluster: {}
               required:
               - cluster
               type: object
@@ -7610,9 +7608,6 @@ spec:
                 db:
                   description: DB is the specific DB which will be backed-up or restored
                   type: string
-                enableTLSClient:
-                  description: Whether enable TLS in TiDBCluster
-                  type: boolean
                 logLevel:
                   description: LogLevel is the log level
                   type: string
@@ -7640,6 +7635,7 @@ spec:
                   description: TimeAgo is the history version of the backup task,
                     e.g. 1m, 1h
                   type: string
+                tlsCluster: {}
               required:
               - cluster
               type: object
@@ -8497,9 +8493,6 @@ spec:
                       description: DB is the specific DB which will be backed-up or
                         restored
                       type: string
-                    enableTLSClient:
-                      description: Whether enable TLS in TiDBCluster
-                      type: boolean
                     logLevel:
                       description: LogLevel is the log level
                       type: string
@@ -8527,6 +8520,7 @@ spec:
                       description: TimeAgo is the history version of the backup task,
                         e.g. 1m, 1h
                       type: string
+                    tlsCluster: {}
                   required:
                   - cluster
                   type: object
diff --git a/pkg/apis/pingcap/v1alpha1/openapi_generated.go b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
index 077d8ddad4f..ae26ed35e2e 100644
--- a/pkg/apis/pingcap/v1alpha1/openapi_generated.go
+++ b/pkg/apis/pingcap/v1alpha1/openapi_generated.go
@@ -375,11 +375,10 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com
 				Description: "BRConfig contains config for BR",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"enableTLSClient": {
+					"tlsCluster": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Whether enable TLS in TiDBCluster",
-							Type:        []string{"boolean"},
-							Format:      "",
+							Description: "Whether enable the TLS connection between TiDB server components Optional: Defaults to nil",
+							Ref:         ref("github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"),
 						},
 					},
 					"cluster": {
@@ -470,6 +469,8 @@ func schema_pkg_apis_pingcap_v1alpha1_BRConfig(ref common.ReferenceCallback) com
 				Required: []string{"cluster"},
 			},
 		},
+		Dependencies: []string{
+			"github.com/pingcap/tidb-operator/pkg/apis/pingcap/v1alpha1.TLSCluster"},
 	}
 }
 
diff --git a/pkg/apis/pingcap/v1alpha1/types.go b/pkg/apis/pingcap/v1alpha1/types.go
index ee2f3813a84..499bb65e303 100644
--- a/pkg/apis/pingcap/v1alpha1/types.go
+++ b/pkg/apis/pingcap/v1alpha1/types.go
@@ -819,8 +819,10 @@ type BackupSpec struct {
 // +k8s:openapi-gen=true
 // BRConfig contains config for BR
 type BRConfig struct {
-	// Whether enable TLS in TiDBCluster
-	EnableTLSClient bool `json:"enableTLSClient,omitempty"`
+	// Whether enable the TLS connection between TiDB server components
+	// Optional: Defaults to nil
+	// +optional
+	TLSCluster *TLSCluster `json:"tlsCluster,omitempty"`
 	// ClusterName of backup/restore cluster
 	Cluster string `json:"cluster"`
 	// Namespace of backup/restore cluster
diff --git a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
index e8ed1ac39cb..88e7aed5d1a 100644
--- a/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/pingcap/v1alpha1/zz_generated.deepcopy.go
@@ -28,6 +28,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BRConfig) DeepCopyInto(out *BRConfig) {
 	*out = *in
+	if in.TLSCluster != nil {
+		in, out := &in.TLSCluster, &out.TLSCluster
+		*out = new(TLSCluster)
+		**out = **in
+	}
 	if in.Concurrency != nil {
 		in, out := &in.Concurrency, &out.Concurrency
 		*out = new(uint32)
diff --git a/pkg/backup/backup/backup_manager.go b/pkg/backup/backup/backup_manager.go
index cf8d94e5f54..fa162fba9cf 100644
--- a/pkg/backup/backup/backup_manager.go
+++ b/pkg/backup/backup/backup_manager.go
@@ -22,6 +22,7 @@ import (
 	backuputil "github.com/pingcap/tidb-operator/pkg/backup/util"
 	"github.com/pingcap/tidb-operator/pkg/controller"
 	"github.com/pingcap/tidb-operator/pkg/label"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -276,14 +277,17 @@ func (bm *backupManager) makeBackupJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 	backupLabel := label.NewBackup().Instance(backup.GetInstanceName()).BackupJob().Backup(name)
 	volumeMounts := []corev1.VolumeMount{}
 	volumes := []corev1.Volume{}
-	if backup.Spec.BR.EnableTLSClient {
+	if backup.Spec.BR.TLSCluster != nil && backup.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath,
+			Name:      "cluster-client-tls",
+			ReadOnly:  true,
+			MountPath: util.ClusterClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "br-tls", VolumeSource: corev1.VolumeSource{
+			Name: "cluster-client-tls",
+			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(backup.Spec.BR.Cluster)),
+					SecretName: util.ClusterClientTLSSecretName(backup.Spec.BR.Cluster),
 				},
 			},
 		})
diff --git a/pkg/backup/restore/restore_manager.go b/pkg/backup/restore/restore_manager.go
index cdbcec11e8c..1a38b7489fb 100644
--- a/pkg/backup/restore/restore_manager.go
+++ b/pkg/backup/restore/restore_manager.go
@@ -23,6 +23,7 @@ import (
 	listers "github.com/pingcap/tidb-operator/pkg/client/listers/pingcap/v1alpha1"
 	"github.com/pingcap/tidb-operator/pkg/controller"
 	"github.com/pingcap/tidb-operator/pkg/label"
+	"github.com/pingcap/tidb-operator/pkg/util"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -260,14 +261,17 @@ func (rm *restoreManager) makeRestoreJob(restore *v1alpha1.Restore) (*batchv1.Jo
 	restoreLabel := label.NewBackup().Instance(restore.GetInstanceName()).RestoreJob().Restore(name)
 	volumeMounts := []corev1.VolumeMount{}
 	volumes := []corev1.Volume{}
-	if restore.Spec.BR.EnableTLSClient {
+	if restore.Spec.BR.TLSCluster != nil && restore.Spec.BR.TLSCluster.Enabled {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
-			Name: "br-tls", ReadOnly: true, MountPath: constants.BRCertPath,
+			Name:      "cluster-client-tls",
+			ReadOnly:  true,
+			MountPath: util.ClusterClientTLSPath,
 		})
 		volumes = append(volumes, corev1.Volume{
-			Name: "br-tls", VolumeSource: corev1.VolumeSource{
+			Name: "cluster-client-tls",
+			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: fmt.Sprintf("%s-client", controller.PDMemberName(restore.Spec.BR.Cluster)),
+					SecretName: util.ClusterClientTLSSecretName(restore.Spec.BR.Cluster),
 				},
 			},
 		})