diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index cd1df6b3..c2815260 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -229,11 +229,10 @@ message CommonTlsContext {
   // Multiple TLS certificates can be associated with the same context.
   // E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured.
   //
-  // .. attention::
-  //
-  //   Although this is a list, currently only a single certificate is supported. This will be
-  //   relaxed in the future.
-  repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1];
+  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
+  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
+  // used for clients that support ECDSA.
+  repeated TlsCertificate tls_certificates = 2;
 
   // Configs for fetching TLS certificates via SDS API.
   repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;