diff --git a/internal/database/cockroach/config.go b/internal/database/cockroach/config.go
index 841787b9fd..f48f026e24 100644
--- a/internal/database/cockroach/config.go
+++ b/internal/database/cockroach/config.go
@@ -15,6 +15,9 @@ import (
 
 const (
 	sslDisabledMode = "disable"
+	sslRequireMode  = "require"
+	sslAllowMode    = "allow"
+	sslPreferMode   = "prefer"
 )
 
 type Config struct {
@@ -121,6 +124,11 @@ func (c *Config) checkSSL(user User) {
 		user.SSL = SSL{Mode: sslDisabledMode}
 		return
 	}
+
+	if user.SSL.Mode == sslRequireMode || user.SSL.Mode == sslAllowMode || user.SSL.Mode == sslPreferMode {
+		return
+	}
+
 	if user.SSL.RootCert == "" {
 		logging.WithFields(
 			"cert set", user.SSL.Cert != "",
diff --git a/internal/database/postgres/config.go b/internal/database/postgres/config.go
index a567f8bc36..5521891685 100644
--- a/internal/database/postgres/config.go
+++ b/internal/database/postgres/config.go
@@ -13,6 +13,9 @@ import (
 
 const (
 	sslDisabledMode = "disable"
+	sslRequireMode  = "require"
+	sslAllowMode    = "allow"
+	sslPreferMode   = "prefer"
 )
 
 type Config struct {
@@ -113,6 +116,19 @@ type SSL struct {
 func (s *Config) checkSSL(user User) {
 	if user.SSL.Mode == sslDisabledMode || user.SSL.Mode == "" {
 		user.SSL = SSL{Mode: sslDisabledMode}
+		return
+	}
+
+	if user.SSL.Mode == sslRequireMode || user.SSL.Mode == sslAllowMode || user.SSL.Mode == sslPreferMode {
+		return
+	}
+
+	if user.SSL.RootCert == "" {
+		logging.WithFields(
+			"cert set", user.SSL.Cert != "",
+			"key set", user.SSL.Key != "",
+			"rootCert set", user.SSL.RootCert != "",
+		).Fatal("at least ssl root cert has to be set")
 	}
 }