diff --git a/.github/workflows/new_contributor_pr.yml b/.github/workflows/new_contributor_pr.yml
index c0f54e81ed..b0ad4aae16 100644
--- a/.github/workflows/new_contributor_pr.yml
+++ b/.github/workflows/new_contributor_pr.yml
@@ -5,7 +5,7 @@ on:
   # This workflow uses pull_request_target so it can run with write permissions on first-time contributor PRs.
   # It is safe because it does not check out or execute any code from the pull request and
   # only uses the pinned, trusted actions/first-interaction action
-  pull_request_target:  # zizmor: ignore[dangerous-triggers]
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types: [opened]
     branches:
       - master
diff --git a/server/database.js b/server/database.js
index d1176ed309..23923679fd 100644
--- a/server/database.js
+++ b/server/database.js
@@ -284,6 +284,14 @@ class Database {
                 port: dbConfig.port,
                 user: dbConfig.username,
                 password: dbConfig.password,
+                ...(dbConfig.ssl
+                    ? {
+                          ssl: {
+                              rejectUnauthorized: true,
+                              ...(dbConfig.ca && dbConfig.ca.trim() !== "" ? { ca: [dbConfig.ca] } : {}),
+                          },
+                      }
+                    : {}),
             });
 
             // Set to true, so for example "uptime.kuma", becomes `uptime.kuma`, not `uptime`.`kuma`
@@ -309,6 +317,14 @@ class Database {
                         }
                         return next();
                     },
+                    ...(dbConfig.ssl
+                        ? {
+                              ssl: {
+                                  rejectUnauthorized: true,
+                                  ...(dbConfig.ca && dbConfig.ca.trim() !== "" ? { ca: [dbConfig.ca] } : {}),
+                              },
+                          }
+                        : {}),
                 },
                 pool: mariadbPoolConfig,
             };
diff --git a/server/setup-database.js b/server/setup-database.js
index 53c1d18a4e..81554c1600 100644
--- a/server/setup-database.js
+++ b/server/setup-database.js
@@ -102,6 +102,8 @@ class SetupDatabase {
             dbConfig.dbName = process.env.UPTIME_KUMA_DB_NAME;
             dbConfig.username = getEnvOrFile("UPTIME_KUMA_DB_USERNAME");
             dbConfig.password = getEnvOrFile("UPTIME_KUMA_DB_PASSWORD");
+            dbConfig.ssl = getEnvOrFile("UPTIME_KUMA_DB_SSL")?.toLowerCase() === "true";
+            dbConfig.ca = getEnvOrFile("UPTIME_KUMA_DB_CA");
             Database.writeDBConfig(dbConfig);
         }
     }
@@ -239,6 +241,14 @@ class SetupDatabase {
                             user: dbConfig.username,
                             password: dbConfig.password,
                             database: dbConfig.dbName,
+                            ...(dbConfig.ssl
+                                ? {
+                                      ssl: {
+                                          rejectUnauthorized: true,
+                                          ...(dbConfig.ca && dbConfig.ca.trim() !== "" ? { ca: [dbConfig.ca] } : {}),
+                                      },
+                                  }
+                                : {}),
                         });
                         await connection.execute("SELECT 1");
                         connection.end();
diff --git a/src/lang/en.json b/src/lang/en.json
index 94a980ac74..d7e7ad0fbc 100644
--- a/src/lang/en.json
+++ b/src/lang/en.json
@@ -6,6 +6,10 @@
     "setupDatabaseSQLite": "A simple database file, recommended for small-scale deployments. Prior to v2.0.0, Uptime Kuma used SQLite as the default database.",
     "settingUpDatabaseMSG": "Setting up the database. It may take a while, please be patient.",
     "dbName": "Database Name",
+    "enableSSL": "Enable SSL/TLS",
+    "mariadbUseSSLHelptext": "Enable to use a encrypted connection to your database. Required for most cloud databases.",
+    "mariadbCaCertificateLabel": "CA Certificate",
+    "mariadbCaCertificateHelptext": "Paste the CA Cert in PEM format to use with self-signed certificates. Leave blank if your database uses a certificate signed by a public CA.",
     "Settings": "Settings",
     "Dashboard": "Dashboard",
     "Help": "Help",
diff --git a/src/pages/SetupDatabase.vue b/src/pages/SetupDatabase.vue
index 58951f9178..47c50a6e92 100644
--- a/src/pages/SetupDatabase.vue
+++ b/src/pages/SetupDatabase.vue
@@ -121,6 +121,42 @@
                         <input id="floatingInput" v-model="dbConfig.dbName" type="text" class="form-control" required />
                         <label for="floatingInput">{{ $t("dbName") }}</label>
                     </div>
+
+                    <div class="mt-3 short text-start">
+                        <div class="form-check form-switch ps-0" style="height: auto; display: block; padding: 0">
+                            <div class="d-flex align-items-center">
+                                <input
+                                    id="sslCheck"
+                                    v-model="dbConfig.ssl"
+                                    type="checkbox"
+                                    role="switch"
+                                    class="form-check-input ms-0 me-2"
+                                    style="float: none"
+                                />
+                                <label class="form-check-label fw-bold" for="sslCheck">
+                                    {{ $t("enableSSL") }}
+                                    <span class="fw-normal text-muted" style="font-size: 0.9em">
+                                        ({{ $t("Optional") }})
+                                    </span>
+                                </label>
+                            </div>
+                            <div class="form-text mt-1">
+                                {{ $t("mariadbUseSSLHelptext") }}
+                            </div>
+                        </div>
+                    </div>
+
+                    <div v-if="dbConfig.ssl" class="form-floating mt-3 short">
+                        <textarea
+                            id="caInput"
+                            v-model="dbConfig.ca"
+                            class="form-control"
+                            placeholder="-----BEGIN CERTIFICATE-----"
+                            style="height: 120px"
+                        ></textarea>
+                        <label for="caInput">{{ $t("mariadbCaCertificateLabel") }}</label>
+                        <div class="form-text">{{ $t("mariadbCaCertificateHelptext") }}</div>
+                    </div>
                 </template>
 
                 <button class="btn btn-primary mt-4 short" type="submit" :disabled="disabledButton">
@@ -148,6 +184,8 @@ export default {
                 username: "",
                 password: "",
                 dbName: "kuma",
+                ssl: false,
+                ca: "",
             },
             info: {
                 needSetup: false,
@@ -253,6 +291,14 @@ export default {
     }
 }
 
+.form-check {
+    height: calc(3.5rem + 2px);
+    padding: 0;
+    display: flex;
+    align-items: center;
+    justify-content: space-around;
+}
+
 .short {
     width: 300px;
 }