diff --git a/service/designate-api.yaml b/service/designate-api.yaml
index df962a5..277091b 100644
--- a/service/designate-api.yaml
+++ b/service/designate-api.yaml
@@ -13,7 +13,10 @@ service:
           type: single
           command:
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ designate.db.name.main_database }};
-            grant all privileges on {{ designate.db.name.main_database }}.* to '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}';"
+            create user '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ designate.db.name.main_database }}.* to '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
         - name: designate-syncdb
           dependencies:
             - designate-main-db-create
diff --git a/service/designate-pool-manager.yaml b/service/designate-pool-manager.yaml
index 306c1f8..1520590 100644
--- a/service/designate-pool-manager.yaml
+++ b/service/designate-pool-manager.yaml
@@ -11,7 +11,10 @@ service:
           type: single
           command:
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ designate.db.name.pool_manager }};
-            grant all privileges on {{ designate.db.name.pool_manager }}.* to '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}';"
+            create user '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ designate.db.name.pool_manager }}.* to '{{ designate.db.username }}'@'%' identified by '{{ designate.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
         - name: designate-pool-sync
           dependencies:
             - designate-pool-manager-db-create
diff --git a/service/files/designate.conf.j2 b/service/files/designate.conf.j2
index 756da63..3cbd272 100644
--- a/service/files/designate.conf.j2
+++ b/service/files/designate.conf.j2
@@ -108,7 +108,7 @@ pool_id = {{ designate.pool.pool_id }}
 # SQLAlchemy Pool Manager Cache
 #------------------------------
 [pool_manager_cache:sqlalchemy]
-connection = mysql+pymysql://{{ designate.db.username }}:{{ designate.db.password }}@{{ address(service.database) }}/{{ designate.db.name.pool_manager }}
+connection = mysql+pymysql://{{ designate.db.username }}:{{ designate.db.password }}@{{ address(service.database) }}/{{ designate.db.name.pool_manager }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 
 ########################
 ## Storage Configuration
@@ -117,7 +117,7 @@ connection = mysql+pymysql://{{ designate.db.username }}:{{ designate.db.passwor
 # SQLAlchemy Storage
 #-------------------
 [storage:sqlalchemy]
-connection = mysql+pymysql://{{ designate.db.username }}:{{ designate.db.password }}@{{ address(service.database) }}/{{ designate.db.name.main_database }}
+connection = mysql+pymysql://{{ designate.db.username }}:{{ designate.db.password }}@{{ address(service.database) }}/{{ designate.db.name.main_database }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 
 ########################
 ## Handler Configuration