diff --git a/service/files/ironic.conf.j2 b/service/files/ironic.conf.j2
index ff08c4a..ca96cb0 100644
--- a/service/files/ironic.conf.j2
+++ b/service/files/ironic.conf.j2
@@ -16,7 +16,7 @@ host_ip = {{ network_topology["private"]["address"] }}
 port = {{ ironic.api_port.cont }}
 
 [database]
-connection = mysql+pymysql://{{ ironic.db.username }}:{{ ironic.db.password }}@{{ address('mariadb', mariadb.port) }}/{{ ironic.db.name }}
+connection = mysql+pymysql://{{ ironic.db.username }}:{{ ironic.db.password }}@{{ address(service.database) }}/{{ ironic.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 max_retries = -1
 
 [keystone_authtoken]
diff --git a/service/ironic-api.yaml b/service/ironic-api.yaml
index d612693..c15f8d7 100644
--- a/service/ironic-api.yaml
+++ b/service/ironic-api.yaml
@@ -15,9 +15,11 @@ service:
       pre:
         - name: ironic-db-create
           type: single
-          command: mysql -v -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e
-                   'create database `{{ ironic.db.name }}`; grant all privileges on `{{ ironic.db.name }}`.* to
-                   "{{ ironic.db.username }}"@"%" identified by "{{ ironic.db.password }}"'
+          command: mysql -v -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database `{{ ironic.db.name }}`;
+                   create user '{{ ironic.db.username }}'@'%' identified by '{{ ironic.db.password }}'
+                   {% if percona.tls.enabled %} require ssl {% endif %};
+                   grant all privileges on `{{ ironic.db.name }}`.* to '{{ ironic.db.username }}'@'%' identified by '{{ ironic.db.password }}'
+                   {% if percona.tls.enabled %} require ssl {% endif %};"
           dependencies:
             - {{ service.database }}
         - name: ironic-db-sync