diff --git a/packages/cli/config/index.ts b/packages/cli/config/index.ts
index ce79ca5221..a3c2cfd03a 100644
--- a/packages/cli/config/index.ts
+++ b/packages/cli/config/index.ts
@@ -63,6 +63,34 @@ const config = convict({
 				default: 'public',
 				env: 'DB_POSTGRESDB_SCHEMA'
 			},
+
+			ssl: {
+				ca: {
+					doc: 'SSL certificate authority',
+					format: String,
+					default: '',
+					env: 'DB_POSTGRESDB_SSL_CA',
+				},
+				cert: {
+					doc: 'SSL certificate',
+					format: String,
+					default: '',
+					env: 'DB_POSTGRESDB_SSL_CERT',
+				},
+				key: {
+					doc: 'SSL key',
+					format: String,
+					default: '',
+					env: 'DB_POSTGRESDB_SSL_KEY',
+				},
+				rejectUnauthorized: {
+					doc: 'If unauthorized SSL connections should be rejected',
+					format: 'Boolean',
+					default: true,
+					env: 'DB_POSTGRESDB_SSL_REJECT_UNAUTHORIZED',
+				},
+			}
+
 		},
 		mysqldb: {
 			database: {
diff --git a/packages/cli/src/Db.ts b/packages/cli/src/Db.ts
index 54633adb13..efda1f6366 100644
--- a/packages/cli/src/Db.ts
+++ b/packages/cli/src/Db.ts
@@ -14,6 +14,8 @@ import {
 	getRepository,
 } from 'typeorm';
 
+import { TlsOptions } from 'tls';
+
 import * as config from '../config';
 
 import {
@@ -72,6 +74,22 @@ export async function init(): Promise<IDatabaseCollections> {
 
 		case 'postgresdb':
 			entities = PostgresDb;
+
+			const sslCa = await GenericHelpers.getConfigValue('database.postgresdb.ssl.ca') as string;
+			const sslCert = await GenericHelpers.getConfigValue('database.postgresdb.ssl.cert') as string;
+			const sslKey = await GenericHelpers.getConfigValue('database.postgresdb.ssl.key') as string;
+			const sslRejectUnauthorized = await GenericHelpers.getConfigValue('database.postgresdb.ssl.rejectUnauthorized') as boolean;
+
+			let ssl: TlsOptions | undefined = undefined;
+			if (sslCa !== '' || sslCert !== '' || sslKey !== '' || sslRejectUnauthorized !== true) {
+				ssl = {
+					ca: sslCa || undefined,
+					cert: sslCert || undefined,
+					key: sslKey || undefined,
+					rejectUnauthorized: sslRejectUnauthorized,
+				};
+			}
+
 			connectionOptions = {
 				type: 'postgres',
 				entityPrefix,
@@ -84,7 +102,9 @@ export async function init(): Promise<IDatabaseCollections> {
 				migrations: [InitialMigration1587669153312],
 				migrationsRun: true,
 				migrationsTableName: `${entityPrefix}migrations`,
+				ssl,
 			};
+
 			break;
 
 		case 'mariadb':