diff --git a/service/files/heat.conf.j2 b/service/files/heat.conf.j2
index b64bb57..148758f 100644
--- a/service/files/heat.conf.j2
+++ b/service/files/heat.conf.j2
@@ -16,7 +16,7 @@ reauthentication_auth_method = trusts
 endpoint_type = internalURL
 
 [database]
-connection = mysql+pymysql://{{ heat.db.username }}:{{ heat.db.password }}@{{ address(service.database) }}/{{ heat.db.name }}
+connection = mysql+pymysql://{{ heat.db.username }}:{{ heat.db.password }}@{{ address(service.database) }}/{{ heat.db.name }}{% if percona.tls.enabled %}?ssl_ca=/opt/ccp/etc/tls/ca.pem{% endif %}
 
 [keystone_authtoken]
 auth_version = v3
diff --git a/service/heat-api.yaml b/service/heat-api.yaml
index d866f42..0ac7e2f 100644
--- a/service/heat-api.yaml
+++ b/service/heat-api.yaml
@@ -13,7 +13,10 @@ service:
           type: single
           command:
             mysql -u root -p{{ db.root_password }} -h {{ address(service.database) }} -e "create database {{ heat.db.name }};
-            grant all privileges on {{ heat.db.name }}.* to '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}';"
+            create user '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};
+            grant all privileges on {{ heat.db.name }}.* to '{{ heat.db.username }}'@'%' identified by '{{ heat.db.password }}'
+            {% if percona.tls.enabled %} require ssl {% endif %};"
         - name: heat-db-sync
           files:
             - heat-conf