diff --git a/lib/rmt/config.rb b/lib/rmt/config.rb
index 650a316ad..d2186e347 100644
--- a/lib/rmt/config.rb
+++ b/lib/rmt/config.rb
@@ -11,20 +11,31 @@
   File.join(__dir__, '../../config/rmt.local.yml')
 )
 
-
 module RMT::Config
   class << self
+    def ssl_config(key = 'database')
+      {
+        'sslverify' => Settings[key].sslverify || true,
+        'sslkey' => Settings[key].sslkey || '',
+        'sslcert' => Settings[key].sslcert || '',
+        'sslca' => Settings[key].sslca || '',
+        'sslcapath' => Settings[key].sslcapath || '',
+        'sslcipher' => Settings[key].sslcipher || 'AES256-SHA',
+        'ssl_mode' => Settings[key].ssl_mode.try(:to_sym) || :disabled
+      }
+    end
+
     def db_config(key = 'database')
       {
         'username' => Settings[key].username,
         'password' => Settings[key].password,
         'database' => Settings[key].database,
-        'host'     => Settings[key].host     || 'localhost',
-        'adapter'  => Settings[key].adapter  || 'mysql2',
+        'host' => Settings[key].host || 'localhost',
+        'adapter' => Settings[key].adapter || 'mysql2',
         'encoding' => Settings[key].encoding || 'utf8',
-        'timeout'  => Settings[key].timeout  || 5000,
-        'pool'     => Settings[key].pool     || 5
-      }
+        'timeout' => Settings[key].timeout || 5000,
+        'pool' => Settings[key].pool || 5
+      }.deep_merge! ssl_config
     end
 
     # This method checks whether or not deduplication should be done by hardlinks.
@@ -47,7 +58,7 @@ def web_server
       WebServerConfig.new(
         max_threads: validate_int(Settings.try(:web_server).try(:max_threads)) || 5,
         min_threads: validate_int(Settings.try(:web_server).try(:min_threads)) || 5,
-        workers:     validate_int(Settings.try(:web_server).try(:workers))     || 2
+        workers: validate_int(Settings.try(:web_server).try(:workers)) || 2
       )
     end
 
diff --git a/package/obs/rmt.conf b/package/obs/rmt.conf
index d58fd0b75..6aa8dac76 100644
--- a/package/obs/rmt.conf
+++ b/package/obs/rmt.conf
@@ -7,6 +7,14 @@ database:
   encoding: utf8
   timeout: 5000
   pool: 5
+  # set sslverify to true to use tls over ssl mysql connection
+  sslverify: false
+  sslkey: /some/path
+  sslcert: /some/path
+  sslca: /some/path
+  sslcapath: /some/path
+  sslcipher: /some/path
+
 
 scc:
   username: