diff --git a/digdag-core/src/main/java/io/digdag/core/database/DatabaseConfig.java b/digdag-core/src/main/java/io/digdag/core/database/DatabaseConfig.java
index 9ddfb94ea7..187f866eb5 100644
--- a/digdag-core/src/main/java/io/digdag/core/database/DatabaseConfig.java
+++ b/digdag-core/src/main/java/io/digdag/core/database/DatabaseConfig.java
@@ -88,6 +88,11 @@ static DatabaseConfig convertFrom(Config config, String keyPrefix)
                     .loginTimeout(config.get(keyPrefix + "." + "loginTimeout", int.class, 30))
                     .socketTimeout(config.get(keyPrefix + "." + "socketTimeout", int.class, 1800))
                     .ssl(config.get(keyPrefix + "." + "ssl", boolean.class, false))
+                    .sslfactory(config.get(keyPrefix + "." + "sslfactory", String.class, "org.postgresql.ssl.NonValidatingFactory"))
+                    .sslmode(config.getOptional(keyPrefix + "." + "sslmode", String.class))
+                    .sslcert(config.getOptional(keyPrefix + "." + "sslcert", String.class))
+                    .sslkey(config.getOptional(keyPrefix + "." + "sslkey", String.class))
+                    .sslrootcert(config.getOptional(keyPrefix + "." + "sslrootcert", String.class))
                     .build()));
             break;
         default:
@@ -169,6 +174,11 @@ static Config toConfig(DatabaseConfig databaseConfig, ConfigFactory cf, String k
                 config.set(keyPrefix + "." + "loginTimeout", remoteDatabaseConfig.getLoginTimeout());
                 config.set(keyPrefix + "." + "socketTimeout", remoteDatabaseConfig.getSocketTimeout());
                 config.set(keyPrefix + "." + "ssl", remoteDatabaseConfig.getSsl());
+                config.set(keyPrefix + "." + "sslfactory", remoteDatabaseConfig.getSslfactory());
+                config.setOptional(keyPrefix + "." + "sslmode", remoteDatabaseConfig.getSslmode());
+                config.setOptional(keyPrefix + "." + "sslcert", remoteDatabaseConfig.getSslcert());
+                config.setOptional(keyPrefix + "." + "sslkey", remoteDatabaseConfig.getSslkey());
+                config.setOptional(keyPrefix + "." + "sslrootcert", remoteDatabaseConfig.getSslrootcert());
                 break;
             default:
                 throw new AssertionError("Unknown database.type: " + databaseConfig.getType());
@@ -268,7 +278,19 @@ static Properties buildJdbcProperties(DatabaseConfig config)
             props.setProperty("password", rc.get().getPassword());
             if (rc.get().getSsl()) {
                 props.setProperty("ssl", "true");
-                props.setProperty("sslfactory", "org.postgresql.ssl.NonValidatingFactory");  // disable server certificate validation
+                props.setProperty("sslfactory", rc.get().getSslfactory());
+                if (rc.get().getSslmode().isPresent()) {
+                    props.setProperty("sslmode", rc.get().getSslmode().get());
+                }
+                if (rc.get().getSslcert().isPresent()) {
+                    props.setProperty("sslcert", rc.get().getSslcert().get());
+                }
+                if (rc.get().getSslkey().isPresent()) {
+                    props.setProperty("sslkey", rc.get().getSslkey().get());
+                }
+                if (rc.get().getSslrootcert().isPresent()) {
+                    props.setProperty("sslrootcert", rc.get().getSslrootcert().get());
+                }
             }
         }
 
diff --git a/digdag-core/src/main/java/io/digdag/core/database/RemoteDatabaseConfig.java b/digdag-core/src/main/java/io/digdag/core/database/RemoteDatabaseConfig.java
index 42175e3270..77f35d0ab3 100644
--- a/digdag-core/src/main/java/io/digdag/core/database/RemoteDatabaseConfig.java
+++ b/digdag-core/src/main/java/io/digdag/core/database/RemoteDatabaseConfig.java
@@ -27,6 +27,16 @@ public interface RemoteDatabaseConfig
 
     boolean getSsl();
 
+    String getSslfactory();
+
+    Optional<String> getSslmode();
+
+    Optional<String> getSslcert();
+
+    Optional<String> getSslkey();
+
+    Optional<String> getSslrootcert();
+
     String getDatabase();
 
     static ImmutableRemoteDatabaseConfig.Builder builder()
diff --git a/digdag-docs/src/command_reference.rst b/digdag-docs/src/command_reference.rst
index 1ed95c9d51..9f83a11f7c 100644
--- a/digdag-docs/src/command_reference.rst
+++ b/digdag-docs/src/command_reference.rst
@@ -361,6 +361,11 @@ In the config file, following parameters are available
 * database.loginTimeout (seconds in integer, default: 30)
 * database.socketTimeout (seconds in integer, default: 1800)
 * database.ssl (boolean, default: false)
+* database.sslfactory (string, default: "org.postgresql.ssl.NonValidatingFactory", "org.postgresql.ssl.LibPQFactory" is also available)
+* database.sslmode (string, "disable", "allow", "prefer", "require", "verify-ca" or "verify-full". enable if sslfactory is set to "org.postgresql.ssl.LibPQFactory")
+* database.sslcert (path to ssl cert file in string. enable if sslfactory is set to "org.postgresql.ssl.LibPQFactory")
+* database.sslkey (path to ssl key file in string. enable if sslfactory is set to "org.postgresql.ssl.LibPQFactory")
+* database.sslrootcert (path to ssl root cert file. enable if sslfactory is set to "org.postgresql.ssl.LibPQFactory")
 * database.connectionTimeout (seconds in integer, default: 30)
 * database.idleTimeout (seconds in integer, default: 600)
 * database.validationTimeout (seconds in integer, default: 5)