diff --git a/src/Sitko.Core.App/Helpers/CertHelper.cs b/src/Sitko.Core.App/Helpers/CertHelper.cs
new file mode 100644
index 000000000..9ed4819dc
--- /dev/null
+++ b/src/Sitko.Core.App/Helpers/CertHelper.cs
@@ -0,0 +1,12 @@
+namespace Sitko.Core.App.Helpers;
+
+public static class CertHelper
+{
+    public static string GetCertPath(string sslCertBase64)
+    {
+        var cert = Convert.FromBase64String(sslCertBase64);
+        var path = Path.GetTempFileName();
+        File.WriteAllBytes(path, cert);
+        return path;
+    }
+}
diff --git a/src/Sitko.Core.Db.Postgres/PostgresDatabaseModuleConfig.cs b/src/Sitko.Core.Db.Postgres/PostgresDatabaseModuleConfig.cs
index a219fe20b..86c6e48ae 100644
--- a/src/Sitko.Core.Db.Postgres/PostgresDatabaseModuleConfig.cs
+++ b/src/Sitko.Core.Db.Postgres/PostgresDatabaseModuleConfig.cs
@@ -5,6 +5,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Npgsql;
 using Sitko.Core.App;
+using Sitko.Core.App.Helpers;
 
 namespace Sitko.Core.Db.Postgres;
 
@@ -15,6 +16,8 @@ public class PostgresDatabaseModuleOptions<TDbContext> : BaseDbModuleOptions<TDb
     public int Port { get; set; } = 5432;
     public string Username { get; set; } = "postgres";
     public string Password { get; set; } = string.Empty;
+    public SslMode SslMode { get; set; } = SslMode.Disable;
+    public string? SaslCertBase64 { get; set; }
     public bool EnableNpgsqlPooling { get; set; } = true;
     [JsonIgnore] public Assembly? MigrationsAssembly { get; set; }
     public bool AutoApplyMigrations { get; set; } = true;
@@ -38,9 +41,18 @@ public NpgsqlConnectionStringBuilder CreateBuilder()
             Password = Password,
             Database = Database,
             Pooling = EnableNpgsqlPooling,
-            IncludeErrorDetail = IncludeErrorDetails
+            IncludeErrorDetail = IncludeErrorDetails,
+            SslMode = SslMode
         };
 
+        switch (SslMode)
+        {
+            case SslMode.VerifyFull:
+            case SslMode.VerifyCA:
+                connBuilder.RootCertificate = CertHelper.GetCertPath(SaslCertBase64!);
+                break;
+        }
+
         foreach (var (key, value) in ConnectionOptions)
         {
             try
@@ -68,6 +80,7 @@ public PostgresDatabaseModuleOptionsValidator()
         RuleFor(o => o.Username).NotEmpty().WithMessage("Postgres username is empty");
         RuleFor(o => o.Database).NotEmpty().WithMessage("Postgres database is empty");
         RuleFor(o => o.Port).GreaterThan(0).WithMessage("Postgres port is empty");
+        RuleFor(o => o.SaslCertBase64).NotEmpty().When(o => o.SslMode is SslMode.VerifyFull or SslMode.VerifyCA).WithMessage("Ssl cert base64 is empty");
     }
 }