diff --git a/apis/postgresql/v1alpha1/provider_types.go b/apis/postgresql/v1alpha1/provider_types.go
index 1a0b3eba..2936b72b 100644
--- a/apis/postgresql/v1alpha1/provider_types.go
+++ b/apis/postgresql/v1alpha1/provider_types.go
@@ -19,6 +19,8 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients"
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
@@ -36,6 +38,24 @@ type ProviderConfigSpec struct {
 	// +kubebuilder:default=verify-full
 	// +kubebuilder:validation:Optional
 	SSLMode *string `json:"sslMode,omitempty"`
+	// Path to the certificate used for client authentication
+	// +kubebuilder:validation:Optional
+	SSLCert *string `json:"sslCert,omitempty"`
+	// Path to the key used for client authentication
+	// +kubebuilder:validation:Optional
+	SSLKey *string `json:"sslKey,omitempty"`
+	// Path to the CA certificate(s) used for verifying the server certificate
+	// +kubebuilder:validation:Optional
+	SSLRootCert *string `json:"sslRootCert,omitempty"`
+}
+
+func (s ProviderConfigSpec) Options() postgresql.Options {
+	return postgresql.Options{
+		SSLMode:     clients.ToString(s.SSLMode),
+		SSLCert:     clients.ToString(s.SSLCert),
+		SSLKey:      clients.ToString(s.SSLKey),
+		SSLRootCert: clients.ToString(s.SSLRootCert),
+	}
 }
 
 const (
diff --git a/apis/postgresql/v1alpha1/zz_generated.deepcopy.go b/apis/postgresql/v1alpha1/zz_generated.deepcopy.go
index 70d15187..bc2fcbaf 100644
--- a/apis/postgresql/v1alpha1/zz_generated.deepcopy.go
+++ b/apis/postgresql/v1alpha1/zz_generated.deepcopy.go
@@ -563,6 +563,21 @@ func (in *ProviderConfigSpec) DeepCopyInto(out *ProviderConfigSpec) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SSLCert != nil {
+		in, out := &in.SSLCert, &out.SSLCert
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLKey != nil {
+		in, out := &in.SSLKey, &out.SSLKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLRootCert != nil {
+		in, out := &in.SSLRootCert, &out.SSLRootCert
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigSpec.
diff --git a/cluster/local/integration_tests.sh b/cluster/local/integration_tests.sh
index e8669b78..3c6a62d0 100755
--- a/cluster/local/integration_tests.sh
+++ b/cluster/local/integration_tests.sh
@@ -96,6 +96,15 @@ nodes:
   extraMounts:
   - hostPath: "${cache_path}/"
     containerPath: /cache
+  extraPortMappings:
+  - containerPort: 5432
+    hostPort: 5432
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        "service-node-port-range": "1-65535"
 EOF
   )"
   echo "${config}" | "${KIND}" create cluster --name="${K8S_CLUSTER}" --wait=5m --image="${node_image}" --config=-
diff --git a/cluster/local/postgresdb_functions.sh b/cluster/local/postgresdb_functions.sh
index 4a64c7e2..e027dd86 100644
--- a/cluster/local/postgresdb_functions.sh
+++ b/cluster/local/postgresdb_functions.sh
@@ -21,6 +21,54 @@ setup_postgresdb_no_tls() {
   PORT_FORWARD_PID=$!
 }
 
+setup_postgresdb_tls() {
+  echo_step "Installing PostgresDB Helm chart into default namespace"
+  postgres_root_pw=$(LC_ALL=C tr -cd "A-Za-z0-9" </dev/urandom | head -c 32)
+
+  "${HELM}" repo update
+  "${HELM}" install postgresdb bitnami/postgresql \
+      --version 11.9.1 \
+      --set global.postgresql.auth.postgresPassword="${postgres_root_pw}" \
+      --set volumePermissions.enabled=true \
+      --set tls.enabled=true \
+      --set tls.autoGenerated=true \
+      --set primary.extraEnvVars[0].name=POSTGRESQL_TLS_CA_FILE \
+      --set primary.extraEnvVars[0].value=/opt/bitnami/postgresql/certs/ca.crt \
+      --set primary.pgHbaConfiguration='local all all trust
+hostssl all all 0.0.0.0/0 md5
+hostssl all all ::/0 md5' \
+      --wait
+
+  # Access via NodePort, the port-forward gets a connection reset after first use and will be no longer available
+  "${KUBECTL}" expose pod postgresdb-postgresql-0 \
+      --name=postgres-nodeport \
+      --type=NodePort \
+      --selector='statefulset.kubernetes.io/pod-name=postgresdb-postgresql-0' \
+      --overrides '{"apiVersion":"v1","spec":{"ports":[{"port":5432,"protocol":"TCP","targetPort":5432,"nodePort":5432}]}}'
+  "${KUBECTL}" wait service/postgres-nodeport --timeout 2m --for=jsonpath='{.status.loadBalancer}'
+
+  # double check that PostgreSQL is accessible via the NodePort
+  echo_step "Waiting for PostgreSQL to become accessible"
+  while ! pg_isready -h localhost -p 5432; do
+    echo -n .
+    sleep 0.5
+  done
+  echo_step_completed
+
+  echo_step "Setting up client connection secrets"
+  "${KUBECTL}" create secret generic postgresdb-creds \
+      --from-literal username="postgres" \
+      --from-literal password="${postgres_root_pw}" \
+      --from-literal endpoint="postgresdb-postgresql.default.svc.cluster.local" \
+      --from-literal port="5432"
+
+    # copy the TLS secret to crossplane-system namespace for the provider to access
+    "${KUBECTL}" get secret postgresdb-postgresql-crt -o yaml \
+      | "${KUBECTL}" patch --patch='{"metadata":{"namespace":"crossplane-system"}}' -o yaml --dry-run=client -f - \
+      | "${KUBECTL}" apply -f -
+  echo_step_completed
+}
+
 setup_provider_config_postgres_no_tls() {
   echo_step "creating ProviderConfig for PostgresDb with no TLS"
   local yaml="$( cat <<EOF
@@ -40,6 +88,82 @@ EOF
   echo "${yaml}" | "${KUBECTL}" apply -f -
 }
 
+setup_provider_config_postgres_tls() {
+  echo_step "creating ProviderConfig for PostgresDb with TLS"
+  local yaml="$(cat <<EOF
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: postgres-tls
+spec:
+  deploymentTemplate:
+    spec:
+      selector: {}
+      template:
+        spec:
+          containers:
+            - name: package-runtime
+              args:
+                - --debug
+              volumeMounts:
+                - mountPath: /certs/postgres
+                  name: postgresql-tls
+                  readOnly: true
+          volumes:
+          - name: postgresql-tls
+            secret:
+              secretName: postgresdb-postgresql-crt
+              defaultMode: 420
+              items:
+              - key: ca.crt
+                path: ca.crt
+---
+apiVersion: postgresql.sql.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  sslRootCert: /certs/postgres/ca.crt
+  credentials:
+    source: PostgreSQLConnectionSecret
+    connectionSecretRef:
+      namespace: default
+      name: postgresdb-creds
+EOF
+  )"
+  echo "${yaml}" | "${KUBECTL}" apply -f -
+
+  # make use of the postgres-tls DeploymentRuntimeConfig
+  "${KUBECTL}" patch providers.pkg.crossplane.io/provider-sql --type=json --patch='[{"op":"add","path":"/spec/runtimeConfigRef","value":{"name":"postgres-tls"}}]'
+}
+
+setup_provider_config_postgres_inline_tls() {
+  echo_step "creating ProviderConfig for PostgresDb with inline TLS"
+  local yaml="$(cat <<EOF
+---
+apiVersion: postgresql.sql.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: PostgreSQLConnectionSecret
+    connectionSecretRef:
+      namespace: default
+      name: postgresdb-creds
+EOF
+  )"
+  echo "${yaml}" | "${KUBECTL}" apply -f -
+
+  # make use of the default debug-config DeploymentRuntimeConfig
+  "${KUBECTL}" patch providers.pkg.crossplane.io/provider-sql --type=json --patch='[{"op":"add","path":"/spec/runtimeConfigRef","value":{"name":"debug-config"}}]'
+
+  # add the clusterCA key from the postgresdb-postgresql-crt Secret created by
+  # Helm chart to the postgresdb-creds Secret
+  sslrootcert="$("${KUBECTL}" get secret postgresdb-postgresql-crt -o go-template='{{index .data "ca.crt"}}')"
+  "${KUBECTL}" patch secret postgresdb-creds --type='json' --patch='[{"op" : "add" ,"path" : "/data/clusterCA" ,"value" : "'"${sslrootcert}"'"}]'
+}
+
 setup_postgresdb_tests(){
 # install provider resources
 echo_step "creating PostgresDB Database resource"
@@ -59,19 +183,19 @@ echo_step "creating PostgresDB Schema resources"
 "${KUBECTL}" apply -f ${projectdir}/examples/postgresql/schema.yaml
 
 echo_step "check if Role is ready"
-"${KUBECTL}" wait --timeout 2m --for condition=Ready -f ${projectdir}/examples/postgresql/role.yaml
+"${KUBECTL}" wait --timeout 3m --for condition=Ready -f ${projectdir}/examples/postgresql/role.yaml
 echo_step_completed
 
 echo_step "check if database is ready"
-"${KUBECTL}" wait --timeout 2m --for condition=Ready -f ${projectdir}/examples/postgresql/database.yaml
+"${KUBECTL}" wait --timeout 3m --for condition=Ready -f ${projectdir}/examples/postgresql/database.yaml
 echo_step_completed
 
 echo_step "check if grant is ready"
-"${KUBECTL}" wait --timeout 2m --for condition=Ready -f ${projectdir}/examples/postgresql/grant.yaml
+"${KUBECTL}" wait --timeout 3m --for condition=Ready -f ${projectdir}/examples/postgresql/grant.yaml
 echo_step_completed
 
 echo_step "check if schema is ready"
-"${KUBECTL}" wait --timeout 2m --for condition=Ready -f ${projectdir}/examples/postgresql/schema.yaml
+"${KUBECTL}" wait --timeout 3m --for condition=Ready -f ${projectdir}/examples/postgresql/schema.yaml
 echo_step_completed
 }
 
@@ -168,6 +292,22 @@ check_observe_only_database(){
   echo_step_completed
 }
 
+check_tls_used() {
+  echo_step "check if TLS is used to connect"
+  local tls
+  tls="$(PGPASSWORD="${postgres_root_pw}" psql -h localhost -p 5432 -U postgres -wtAc "select pg_ssl.ssl FROM pg_stat_ssl pg_ssl JOIN pg_stat_activity pg_sa ON pg_ssl.pid = pg_sa.pid;")"
+
+  if [[ "${tls}" == t ]]; then
+      echo "Connected using TLS"
+      echo_info "OK"
+  else
+      echo "Did not connect using TLS"
+      echo_error "Not OK"
+  fi
+
+  echo_step_completed
+}
+
 delete_postgresdb_resources(){
   # uninstall
   echo_step "uninstalling ${PROJECT_NAME}"
@@ -179,14 +319,24 @@ delete_postgresdb_resources(){
 
   # ----------- cleaning postgres related resources
 
-  echo_step "kill port-forwarding"
-  kill $PORT_FORWARD_PID
+  if [[ -n "${PORT_FORWARD_PID}" ]]; then
+    echo_step "kill port-forwarding"
+    kill $PORT_FORWARD_PID
+    unset PORT_FORWARD_PID
+  fi
 
   echo_step "uninstalling secret and provider config for postgres"
   "${KUBECTL}" delete secret postgresdb-creds
 
   echo_step "Uninstalling PostgresDB Helm chart from default namespace"
   "${HELM}" uninstall postgresdb
+
+  # make sure to delete the PVC, otherwise the password will be reused from the first installation
+  "${KUBECTL}" delete --ignore-not-found=true pvc data-postgresdb-postgresql-0
+
+  "${KUBECTL}" delete --ignore-not-found=true service postgres-nodeport
+
+  "${KUBECTL}" delete --ignore-not-found=true secret -n crossplane-system postgresdb-postgresql-crt
 }
 
 integration_tests_postgres() {
@@ -198,4 +348,28 @@ integration_tests_postgres() {
   check_all_roles_privileges
   check_schema_privileges
   delete_postgresdb_resources
-}
\ No newline at end of file
+
+  tls_tests() {
+    local PGSSLMODE=require
+    setup_postgresdb_tls
+    setup_provider_config_postgres_tls
+    check_tls_used
+    setup_observe_only_database
+    setup_postgresdb_tests
+    check_all_roles_privileges
+    delete_postgresdb_resources
+  }
+  tls_tests
+
+  inline_tls_tests() {
+    local PGSSLMODE=require
+    setup_postgresdb_tls
+    setup_provider_config_postgres_inline_tls
+    check_tls_used
+    setup_observe_only_database
+    setup_postgresdb_tests
+    check_all_roles_privileges
+    delete_postgresdb_resources
+  }
+  inline_tls_tests
+}
diff --git a/examples/postgresql/custom-certificates.yaml b/examples/postgresql/custom-certificates.yaml
new file mode 100644
index 00000000..d6b9ab76
--- /dev/null
+++ b/examples/postgresql/custom-certificates.yaml
@@ -0,0 +1,51 @@
+---
+# This DeploymentRuntimeConfig will mount files embedded in a Secret to the
+# provider Pod, this allows accessing those files as paths on in the options,
+# e.g. when using custom TLS CA certificates or keys
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
+metadata:
+  name: postgres-custom-tls
+spec:
+  deploymentTemplate:
+    spec:
+      selector: {}
+      template:
+        spec:
+          containers:
+            - name: package-runtime
+              volumeMounts:
+                - mountPath: /certs/postgres
+                  name: postgresql-tls
+                  readOnly: true
+          volumes:
+            - name: postgresql-tls
+              secret:
+                # Name of the secret containing the files
+                secretName: postgresdb-postgresql-crt
+                defaultMode: 420
+---
+# The DeploymentRuntimeConfig must be referenced in the Provider configuration
+# for it to be effective
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-sql
+spec:
+  runtimeConfigRef:
+    name: postgres-custom-tls
+  package: xpkg.upbound.io/crossplane-contrib/provider-sql:v0.13.0
+---
+# The configuration can now point to the /certs/postgres/ca.crt, ca.crt being
+# the key in the postgresdb-postgresql-crt Secret referenced above
+apiVersion: postgresql.sql.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  sslRootCert: /certs/postgres/ca.crt
+  credentials:
+    source: PostgreSQLConnectionSecret
+    connectionSecretRef:
+      namespace: default
+      name: postgresdb-creds
diff --git a/package/crds/postgresql.sql.crossplane.io_providerconfigs.yaml b/package/crds/postgresql.sql.crossplane.io_providerconfigs.yaml
index ea431526..28deb2ea 100644
--- a/package/crds/postgresql.sql.crossplane.io_providerconfigs.yaml
+++ b/package/crds/postgresql.sql.crossplane.io_providerconfigs.yaml
@@ -84,6 +84,12 @@ spec:
                   Defines the database name used to set up a connection to the provided
                   PostgreSQL instance. Same as PGDATABASE environment variable.
                 type: string
+              sslCert:
+                description: Path to the certificate used for client authentication
+                type: string
+              sslKey:
+                description: Path to the key used for client authentication
+                type: string
               sslMode:
                 default: verify-full
                 description: |-
@@ -95,6 +101,10 @@ spec:
                 - verify-ca
                 - verify-full
                 type: string
+              sslRootCert:
+                description: Path to the CA certificate(s) used for verifying the
+                  server certificate
+                type: string
             required:
             - credentials
             type: object
diff --git a/pkg/clients/postgresql/postgresql.go b/pkg/clients/postgresql/postgresql.go
index 270bb92c..034414e6 100644
--- a/pkg/clients/postgresql/postgresql.go
+++ b/pkg/clients/postgresql/postgresql.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"errors"
 	"net/url"
+	"os"
 
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 	"github.com/lib/pq"
@@ -23,31 +24,104 @@ type postgresDB struct {
 	dsn      string
 	endpoint string
 	port     string
-	sslmode  string
+	options  Options
+}
+
+type Options struct {
+	SSLMode     string
+	SSLCert     string
+	SSLKey      string
+	SSLRootCert string
+}
+
+func (o Options) queryString() string {
+	values := url.Values{}
+
+	if o.SSLMode != "" {
+		values.Add("sslmode", o.SSLMode)
+	}
+
+	if o.SSLCert != "" {
+		values.Add("sslcert", o.SSLCert)
+	}
+
+	if o.SSLKey != "" {
+		values.Add("sslkey", o.SSLKey)
+	}
+
+	if o.SSLRootCert != "" {
+		values.Add("sslrootcert", o.SSLRootCert)
+	}
+
+	return values.Encode()
+}
+
+func (o *Options) withSecretData(data map[string][]byte) error {
+	set := func(key string, to *string) error {
+		v, ok := data[key]
+
+		if !ok {
+			return nil
+		}
+
+		f, err := os.CreateTemp("", key)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		if _, err := f.Write(v); err != nil {
+			return err
+		}
+
+		*to = f.Name()
+
+		return nil
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretClientCertKey, &o.SSLCert); err != nil {
+		return err
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretClientKeyKey, &o.SSLKey); err != nil {
+		return err
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretCAKey, &o.SSLRootCert); err != nil {
+		return err
+	}
+
+	return nil
 }
 
 // New returns a new PostgreSQL database client. The default database name is
 // an empty string. The underlying pq library will default to either using the
 // value of PGDATABASE, or if unset, the hardcoded string 'postgres'.
-// The sslmode defines the mode used to set up the connection for the provider.
-func New(creds map[string][]byte, database, sslmode string) xsql.DB {
+// The options provide additional settings to set up the connection for the
+// provider.
+func New(data map[string][]byte, database string, options Options) (xsql.DB, error) {
 	// TODO(negz): Support alternative connection secret formats?
-	endpoint := string(creds[xpv1.ResourceCredentialsSecretEndpointKey])
-	port := string(creds[xpv1.ResourceCredentialsSecretPortKey])
-	username := string(creds[xpv1.ResourceCredentialsSecretUserKey])
-	password := string(creds[xpv1.ResourceCredentialsSecretPasswordKey])
-	dsn := DSN(username, password, endpoint, port, database, sslmode)
+	endpoint := string(data[xpv1.ResourceCredentialsSecretEndpointKey])
+	port := string(data[xpv1.ResourceCredentialsSecretPortKey])
+	username := string(data[xpv1.ResourceCredentialsSecretUserKey])
+	password := string(data[xpv1.ResourceCredentialsSecretPasswordKey])
+
+	if err := options.withSecretData(data); err != nil {
+		return nil, err
+	}
+
+	dsn := DSN(username, password, endpoint, port, database, options.queryString())
 
 	return postgresDB{
 		dsn:      dsn,
 		endpoint: endpoint,
 		port:     port,
-		sslmode:  sslmode,
-	}
+		options:  options,
+	}, nil
 }
 
 // DSN returns the DSN URL
-func DSN(username, password, endpoint, port, database, sslmode string) string {
+func DSN(username, password, endpoint, port, database, options string) string {
 	// Use net/url UserPassword to encode the username and password
 	// This will ensure that any special characters in the username or password
 	// are percent-encoded for use in the user info portion of the DSN URL
@@ -57,7 +131,8 @@ func DSN(username, password, endpoint, port, database, sslmode string) string {
 		endpoint + ":" +
 		port + "/" +
 		database +
-		"?sslmode=" + sslmode
+		"?" + options
+
 }
 
 // ExecTx executes an array of queries, committing if all are successful and
@@ -130,10 +205,13 @@ func (c postgresDB) Scan(ctx context.Context, q xsql.Query, dest ...interface{})
 // GetConnectionDetails returns the connection details for a user of this DB
 func (c postgresDB) GetConnectionDetails(username, password string) managed.ConnectionDetails {
 	return managed.ConnectionDetails{
-		xpv1.ResourceCredentialsSecretUserKey:     []byte(username),
-		xpv1.ResourceCredentialsSecretPasswordKey: []byte(password),
-		xpv1.ResourceCredentialsSecretEndpointKey: []byte(c.endpoint),
-		xpv1.ResourceCredentialsSecretPortKey:     []byte(c.port),
+		xpv1.ResourceCredentialsSecretUserKey:       []byte(username),
+		xpv1.ResourceCredentialsSecretPasswordKey:   []byte(password),
+		xpv1.ResourceCredentialsSecretEndpointKey:   []byte(c.endpoint),
+		xpv1.ResourceCredentialsSecretPortKey:       []byte(c.port),
+		xpv1.ResourceCredentialsSecretClientCertKey: []byte(c.options.SSLCert),
+		xpv1.ResourceCredentialsSecretClientKeyKey:  []byte(c.options.SSLKey),
+		xpv1.ResourceCredentialsSecretCAKey:         []byte(c.options.SSLRootCert),
 	}
 }
 
diff --git a/pkg/clients/postgresql/postgresql_test.go b/pkg/clients/postgresql/postgresql_test.go
index a2056b91..bdb3cfc1 100644
--- a/pkg/clients/postgresql/postgresql_test.go
+++ b/pkg/clients/postgresql/postgresql_test.go
@@ -1,7 +1,27 @@
 package postgresql
 
 import (
+	"os"
 	"testing"
+
+	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+)
+
+const (
+	cert = `-----BEGIN CERTIFICATE-----
+MIIE/zCCAuegAwIBAgIUaQ2NqCCwap45bHpheQkI8ogei9wwDQYJKoZIhvcNAQEL
+nttUIJXC4NaaNY8xpwYBQF+Qm/Fkr68f2PbEQKp5MH1SI6U=
+-----END CERTIFICATE-----`
+
+	key = `-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDBLPQTfvYTlFE1
+cX7ME/e2Dw2PsBiJYZaE7Nt/J1U5
+-----END PRIVATE KEY-----`
+
+	ca = `-----BEGIN CERTIFICATE-----
+MIIE+zCCAuOgAwIBAgIUSGfXbm4N5zBbvOo3tKJHMwxMu7YwDQYJKoZIhvcNAQEL
+tayuDzWN/5JRcsY3WSewY9kAzwLCXWzY9GzvBcRrPQ==
+-----END CERTIFICATE-----`
 )
 
 func TestDSNURLEscaping(t *testing.T) {
@@ -12,8 +32,54 @@ func TestDSNURLEscaping(t *testing.T) {
 	rawPass := "password^"
 	encPass := "password%5E"
 	sslmode := "require"
-	dsn := DSN(user, rawPass, endpoint, port, db, sslmode)
+	options := Options{
+		SSLMode: sslmode,
+	}
+	dsn := DSN(user, rawPass, endpoint, port, db, options.queryString())
 	if dsn != "postgres://"+user+":"+encPass+"@"+endpoint+":"+port+"/"+db+"?sslmode="+sslmode {
 		t.Errorf("DSN string did not match expected output with userinfo URL encoded")
 	}
 }
+
+func TestOptionsToQueryString(t *testing.T) {
+	tmpdir := t.TempDir()
+	os.Setenv("TMPDIR", tmpdir)
+
+	inline := Options{}
+	inline.withSecretData(map[string][]byte{
+		v1.ResourceCredentialsSecretClientCertKey: []byte(cert),
+		v1.ResourceCredentialsSecretClientKeyKey:  []byte(key),
+		v1.ResourceCredentialsSecretCAKey:         []byte(ca),
+	})
+
+	cases := []struct {
+		name     string
+		given    Options
+		expected string
+	}{
+		{
+			name:     "empty",
+			given:    Options{},
+			expected: "",
+		},
+		{
+			name: "everything",
+			given: Options{
+				SSLMode:     "require",
+				SSLCert:     "/path/to/ssl.crt",
+				SSLKey:      "/path/to/ssl.key",
+				SSLRootCert: "/path/to/ca.crt",
+			},
+			expected: "sslcert=%2Fpath%2Fto%2Fssl.crt&sslkey=%2Fpath%2Fto%2Fssl.key&sslmode=require&sslrootcert=%2Fpath%2Fto%2Fca.crt",
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got := c.given.queryString()
+			if c.expected != got {
+				t.Errorf("Expected query string to be %q, but it was %q", c.expected, got)
+			}
+		})
+	}
+}
diff --git a/pkg/controller/postgresql/database/reconciler.go b/pkg/controller/postgresql/database/reconciler.go
index 9990a5f7..11c9f250 100644
--- a/pkg/controller/postgresql/database/reconciler.go
+++ b/pkg/controller/postgresql/database/reconciler.go
@@ -40,16 +40,16 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotDatabase       = "managed resource is not a Database custom resource"
 	errSelectDB          = "cannot select database"
@@ -93,7 +93,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -126,7 +126,12 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode))}, nil
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
+	return &external{db}, nil
 }
 
 type external struct{ db xsql.DB }
diff --git a/pkg/controller/postgresql/database/reconciler_test.go b/pkg/controller/postgresql/database/reconciler_test.go
index 98287ceb..ea3d2c3d 100644
--- a/pkg/controller/postgresql/database/reconciler_test.go
+++ b/pkg/controller/postgresql/database/reconciler_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -64,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {
diff --git a/pkg/controller/postgresql/extension/reconciler.go b/pkg/controller/postgresql/extension/reconciler.go
index ac2ae11d..c286823c 100644
--- a/pkg/controller/postgresql/extension/reconciler.go
+++ b/pkg/controller/postgresql/extension/reconciler.go
@@ -36,7 +36,6 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
@@ -85,7 +84,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -118,13 +117,23 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
+	options := pc.Spec.Options()
+
 	// We do not want to create an extension on the default DB
 	// if the user was expecting a database name to be resolved.
 	if cr.Spec.ForProvider.Database != nil {
-		return &external{db: c.newDB(s.Data, *cr.Spec.ForProvider.Database, clients.ToString(pc.Spec.SSLMode))}, nil
+		db, err := c.newDB(s.Data, *cr.Spec.ForProvider.Database, options)
+		if err != nil {
+			return nil, err
+		}
+		return &external{db}, nil
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode))}, nil
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, options)
+	if err != nil {
+		return nil, err
+	}
+	return &external{db}, nil
 }
 
 type external struct{ db xsql.DB }
diff --git a/pkg/controller/postgresql/extension/reconciler_test.go b/pkg/controller/postgresql/extension/reconciler_test.go
index d675f016..a7cc30da 100644
--- a/pkg/controller/postgresql/extension/reconciler_test.go
+++ b/pkg/controller/postgresql/extension/reconciler_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -64,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {
diff --git a/pkg/controller/postgresql/grant/reconciler.go b/pkg/controller/postgresql/grant/reconciler.go
index 7a236c09..39dd0147 100644
--- a/pkg/controller/postgresql/grant/reconciler.go
+++ b/pkg/controller/postgresql/grant/reconciler.go
@@ -37,16 +37,16 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotGrant     = "managed resource is not a Grant custom resource"
 	errSelectGrant  = "cannot select grant"
@@ -94,7 +94,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -126,8 +126,14 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 	if err := c.kube.Get(ctx, types.NamespacedName{Namespace: ref.Namespace, Name: ref.Name}, s); err != nil {
 		return nil, errors.Wrap(err, errGetSecret)
 	}
+
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
 	return &external{
-		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode)),
+		db:   db,
 		kube: c.kube,
 	}, nil
 }
diff --git a/pkg/controller/postgresql/grant/reconciler_test.go b/pkg/controller/postgresql/grant/reconciler_test.go
index 8ab046db..5cc192b2 100644
--- a/pkg/controller/postgresql/grant/reconciler_test.go
+++ b/pkg/controller/postgresql/grant/reconciler_test.go
@@ -37,6 +37,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -74,7 +75,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {
diff --git a/pkg/controller/postgresql/role/reconciler.go b/pkg/controller/postgresql/role/reconciler.go
index 055e4b77..2d0f1b60 100644
--- a/pkg/controller/postgresql/role/reconciler.go
+++ b/pkg/controller/postgresql/role/reconciler.go
@@ -42,16 +42,16 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotRole                 = "managed resource is not a Role custom resource"
 	errSelectRole              = "cannot select role"
@@ -95,7 +95,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -128,8 +128,13 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
 	return &external{
-		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode)),
+		db:   db,
 		kube: c.kube,
 	}, nil
 }
diff --git a/pkg/controller/postgresql/role/reconciler_test.go b/pkg/controller/postgresql/role/reconciler_test.go
index f151a4ee..b75f6cca 100644
--- a/pkg/controller/postgresql/role/reconciler_test.go
+++ b/pkg/controller/postgresql/role/reconciler_test.go
@@ -38,6 +38,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -78,7 +79,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {
diff --git a/pkg/controller/postgresql/schema/reconciler.go b/pkg/controller/postgresql/schema/reconciler.go
index d60cbe13..86932140 100644
--- a/pkg/controller/postgresql/schema/reconciler.go
+++ b/pkg/controller/postgresql/schema/reconciler.go
@@ -37,16 +37,16 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotSchema    = "managed resource is not a Schema custom resource"
 	errSelectSchema = "cannot select schema"
@@ -88,7 +88,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -125,7 +125,12 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.New(errNoDatabase)
 	}
 
-	return &external{db: c.newDB(s.Data, *cr.Spec.ForProvider.Database, clients.ToString(pc.Spec.SSLMode))}, nil
+	db, err := c.newDB(s.Data, *cr.Spec.ForProvider.Database, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
+	return &external{db}, nil
 }
 
 type external struct{ db xsql.DB }
diff --git a/pkg/controller/postgresql/schema/reconciler_test.go b/pkg/controller/postgresql/schema/reconciler_test.go
index d2c493e5..452b148c 100644
--- a/pkg/controller/postgresql/schema/reconciler_test.go
+++ b/pkg/controller/postgresql/schema/reconciler_test.go
@@ -34,6 +34,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -70,7 +71,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {