diff --git a/manifests/init.pp b/manifests/init.pp
index cf164c9..f641330 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -85,6 +85,14 @@ class openstackid (
   $session_cookie_domain = $::fqdn,
   $session_cookie_secure = true,
   $session_cookie_http_only = true,
+  $mysql_ssl_enabled = false,
+  $mysql_ssl_ca_file = '/etc/mysql-client-ssl/ca-cert.pem',
+  $mysql_ssl_ca_file_contents = '',
+  $mysql_ssl_client_key_file = '/etc/mysql-client-ssl/client-key.pem',
+  $mysql_ssl_client_key_file_contents = '',
+  $mysql_ssl_client_cert_file = '/etc/mysql-client-ssl/client-cert.pem',
+  $mysql_ssl_client_cert_file_contents = '',
+  $mysql_ssl_cypher = 'DHE-RSA-AES256-SHA',
 ) {
 
   # php packages needed for openid server
@@ -292,6 +300,42 @@ class openstackid (
     }
   }
 
+  # mysql ssl connection configuration
+  if($mysql_ssl_enabled) {
+
+    if $mysql_ssl_ca_file_contents != '' {
+      file { $mysql_ssl_ca_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_ca_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+
+    if $mysql_ssl_client_key_file_contents != '' {
+      file { $mysql_ssl_client_key_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_client_key_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+    if $mysql_ssl_client_cert_file_contents != '' {
+      file { $mysql_ssl_client_cert_file:
+        owner   => 'root',
+        group   => 'www-data',
+        mode    => '0640',
+        content => $mysql_ssl_client_cert_file_contents,
+        notify  => Class['::apache::service'],
+        before  => Apache::Vhost::Custom[$vhost_name],
+      }
+    }
+  }
+
   $docroot_dirs = [ '/srv/openstackid' ]
 
   file { $docroot_dirs:
diff --git a/templates/lv5/.env.erb b/templates/lv5/.env.erb
index 83cbe74..ebab61a 100644
--- a/templates/lv5/.env.erb
+++ b/templates/lv5/.env.erb
@@ -18,6 +18,12 @@ SS_DATABASE="<%= @ss_db_name %>"
 SS_DB_USERNAME="<%= @ss_mysql_user %>"
 SS_DB_PASSWORD="<%= @ss_mysql_password %>"
 
+DB_USE_SSL=<%= @mysql_ssl_enabled %>
+DB_MYSQL_ATTR_SSL_CA="<%= @mysql_ssl_ca_file %>"
+DB_MYSQL_ATTR_SSL_KEY="<%= @mysql_ssl_client_key_file %>"
+DB_MYSQL_ATTR_SSL_CERT="<%= @mysql_ssl_client_cert %>"
+DB_MYSQL_ATTR_SSL_CIPHER="<%= @mysql_ssl_cypher %>"
+
 REDIS_HOST="<%= @redis_host %>"
 REDIS_PORT=<%= @redis_port %>
 REDIS_DB=<%= @redis_db %>