diff --git a/roles/zoneminder/tasks/main.yml b/roles/zoneminder/tasks/main.yml
index 2e1e96f..ebdfde4 100644
--- a/roles/zoneminder/tasks/main.yml
+++ b/roles/zoneminder/tasks/main.yml
@@ -51,6 +51,13 @@
   notify: restart zoneminder
   when: zm_mysql_host != "localhost"
 
+- name: allow zoneminder to read host private key
+  user:
+    name: apache
+    groups: hostkey
+    append: true
+  when: zm_mysql_host != "localhost"
+
 # selinux doesn't allow create this
 - name: create stub web log
   file:
diff --git a/roles/zoneminder/templates/zm.conf b/roles/zoneminder/templates/zm.conf
index a692f6b..9e29854 100644
--- a/roles/zoneminder/templates/zm.conf
+++ b/roles/zoneminder/templates/zm.conf
@@ -6,3 +6,8 @@ ZM_DB_HOST={{ zm_mysql_host }}
 ZM_DB_NAME={{ zm_mysql_db}}
 ZM_DB_USER={{ zm_mysql_user }}
 ZM_DB_PASS={{ zm_mysql_pass }}
+{% if zm_mysql_host != "localhost" %}
+ZM_DB_SSL_CA_CERT={{ tls_certs }}/ca.crt
+ZM_DB_SSL_CLIENT_KEY={{ tls_private }}/{{ inventory_hostname }}.key
+ZM_DB_SSL_CLIENT_CERT={{ tls_certs }}/{{ inventory_hostname }}.crt
+{% endif %}