diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
index db023d08933..9f9f2d4c40b 100644
--- a/.github/workflows/pull_request.yml
+++ b/.github/workflows/pull_request.yml
@@ -127,7 +127,24 @@ jobs:
         timeout-minutes: 20
       - name: Setup cluster
         run: |
-          make up
+          case ${{ matrix.compiler }} in
+          gcc-*)
+            case ${{ matrix.os }} in
+            centos7)
+              # normal cluster
+              make up
+              ;;
+            ubuntu2004)
+              # ssl cluster
+              make ENABLE_SSL=true CA_SIGNED=true up
+              ;;
+            esac
+            ;;
+          clang-*)
+            # graph ssl only cluster
+            make ENABLE_SSL=false ENABLE_GRAPH_SSL=true up
+            ;;
+          esac
         working-directory: tests/
         timeout-minutes: 2
       - name: Pytest
diff --git a/src/clients/meta/MetaClient.cpp b/src/clients/meta/MetaClient.cpp
index 55612eb64d9..9df2a1e8527 100644
--- a/src/clients/meta/MetaClient.cpp
+++ b/src/clients/meta/MetaClient.cpp
@@ -19,6 +19,7 @@
 #include "common/http/HttpClient.h"
 #include "common/meta/NebulaSchemaProvider.h"
 #include "common/network/NetworkUtils.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/stats/StatsManager.h"
 #include "common/time/TimeUtils.h"
 #include "version/Version.h"
@@ -49,7 +50,8 @@ MetaClient::MetaClient(std::shared_ptr<folly::IOThreadPoolExecutor> ioThreadPool
   CHECK(ioThreadPool_ != nullptr) << "IOThreadPool is required";
   CHECK(!addrs_.empty())
       << "No meta server address is specified or can be solved. Meta server is required";
-  clientsMan_ = std::make_shared<thrift::ThriftClientManager<cpp2::MetaServiceAsyncClient>>();
+  clientsMan_ = std::make_shared<thrift::ThriftClientManager<cpp2::MetaServiceAsyncClient>>(
+      FLAGS_enable_ssl || FLAGS_enable_meta_ssl);
   updateActive();
   updateLeader();
   bgThread_ = std::make_unique<thread::GenericWorker>();
diff --git a/src/clients/meta/test/CMakeLists.txt b/src/clients/meta/test/CMakeLists.txt
index b732a4748b6..80fc0bf0434 100644
--- a/src/clients/meta/test/CMakeLists.txt
+++ b/src/clients/meta/test/CMakeLists.txt
@@ -10,5 +10,6 @@ nebula_add_test(
         $<TARGET_OBJECTS:file_based_cluster_id_man_obj>
         $<TARGET_OBJECTS:base_obj>
         $<TARGET_OBJECTS:fs_obj>
+        $<TARGET_OBJECTS:ssl_obj>
     LIBRARIES gtest
 )
diff --git a/src/clients/storage/StorageClientBase-inl.h b/src/clients/storage/StorageClientBase-inl.h
index 608639bf471..c8adf7028aa 100644
--- a/src/clients/storage/StorageClientBase-inl.h
+++ b/src/clients/storage/StorageClientBase-inl.h
@@ -8,6 +8,7 @@
 
 #include <folly/Try.h>
 
+#include "common/ssl/SSLConfig.h"
 #include "common/time/WallClock.h"
 
 namespace nebula {
@@ -72,7 +73,7 @@ template <typename ClientType>
 StorageClientBase<ClientType>::StorageClientBase(
     std::shared_ptr<folly::IOThreadPoolExecutor> threadPool, meta::MetaClient* metaClient)
     : metaClient_(metaClient), ioThreadPool_(threadPool) {
-  clientsMan_ = std::make_unique<thrift::ThriftClientManager<ClientType>>();
+  clientsMan_ = std::make_unique<thrift::ThriftClientManager<ClientType>>(FLAGS_enable_ssl);
 }
 
 template <typename ClientType>
diff --git a/src/codec/test/CMakeLists.txt b/src/codec/test/CMakeLists.txt
index 2ce9788956e..05581db1c94 100644
--- a/src/codec/test/CMakeLists.txt
+++ b/src/codec/test/CMakeLists.txt
@@ -31,6 +31,7 @@ set(CODEC_TEST_LIBS
     $<TARGET_OBJECTS:agg_function_manager_obj>
     $<TARGET_OBJECTS:time_utils_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 
diff --git a/src/common/CMakeLists.txt b/src/common/CMakeLists.txt
index 9122bd1f76f..fe404277c93 100644
--- a/src/common/CMakeLists.txt
+++ b/src/common/CMakeLists.txt
@@ -25,3 +25,4 @@ nebula_add_subdirectory(function)
 nebula_add_subdirectory(graph)
 nebula_add_subdirectory(plugin)
 nebula_add_subdirectory(utils)
+nebula_add_subdirectory(ssl)
diff --git a/src/common/ssl/CMakeLists.txt b/src/common/ssl/CMakeLists.txt
new file mode 100644
index 00000000000..eb19ddc3442
--- /dev/null
+++ b/src/common/ssl/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright (c) 2021 vesoft inc. All rights reserved.
+#
+# This source code is licensed under Apache 2.0 License,
+# attached with Common Clause Condition 1.0, found in the LICENSES directory.
+
+nebula_add_library(
+    ssl_obj
+    OBJECT
+    SSLConfig.cpp
+)
diff --git a/src/common/ssl/SSLConfig.cpp b/src/common/ssl/SSLConfig.cpp
new file mode 100644
index 00000000000..5f39f26c5ac
--- /dev/null
+++ b/src/common/ssl/SSLConfig.cpp
@@ -0,0 +1,38 @@
+/* Copyright (c) 2021 vesoft inc. All rights reserved.
+ *
+ * This source code is licensed under Apache 2.0 License,
+ * attached with Common Clause Condition 1.0, found in the LICENSES directory.
+ */
+
+#include "common/ssl/SSLConfig.h"
+
+DEFINE_string(cert_path, "", "Path to cert pem.");
+DEFINE_string(key_path, "", "Path to cert key.");
+DEFINE_string(ca_path, "", "Path to trusted CA file.");
+DEFINE_bool(enable_ssl, false, "Whether to enable ssl.");
+DEFINE_bool(enable_graph_ssl, false, "Whether to enable ssl of graph server.");
+DEFINE_bool(enable_meta_ssl, false, "Whether to enable ssl of meta server.");
+
+namespace nebula {
+
+std::shared_ptr<wangle::SSLContextConfig> sslContextConfig() {
+  auto sslCfg = std::make_shared<wangle::SSLContextConfig>();
+  sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, "");
+  sslCfg->isDefault = true;
+  return sslCfg;
+}
+
+std::shared_ptr<folly::SSLContext> createSSLContext() {
+  auto context = std::make_shared<folly::SSLContext>();
+  if (!FLAGS_ca_path.empty()) {
+    context->loadTrustedCertificates(FLAGS_ca_path.c_str());
+    // don't do peer name validation
+    context->authenticate(true, false);
+    // verify the server cert
+    context->setVerificationOption(folly::SSLContext::SSLVerifyPeerEnum::VERIFY);
+  }
+  folly::ssl::setSignatureAlgorithms<folly::ssl::SSLCommonOptions>(*context);
+  return context;
+}
+
+}  // namespace nebula
diff --git a/src/common/ssl/SSLConfig.h b/src/common/ssl/SSLConfig.h
new file mode 100644
index 00000000000..45889b86b27
--- /dev/null
+++ b/src/common/ssl/SSLConfig.h
@@ -0,0 +1,26 @@
+
+/* Copyright (c) 2021 vesoft inc. All rights reserved.
+ *
+ * This source code is licensed under Apache 2.0 License,
+ * attached with Common Clause Condition 1.0, found in the LICENSES directory.
+ */
+
+#pragma once
+
+#include <folly/io/async/SSLContext.h>
+#include <gflags/gflags.h>
+#include <wangle/ssl/SSLContextConfig.h>
+
+#include <memory>
+
+DECLARE_bool(enable_ssl);
+DECLARE_bool(enable_graph_ssl);
+DECLARE_bool(enable_meta_ssl);
+
+namespace nebula {
+
+extern std::shared_ptr<wangle::SSLContextConfig> sslContextConfig();
+
+extern std::shared_ptr<folly::SSLContext> createSSLContext();
+
+}  // namespace nebula
diff --git a/src/common/thrift/ThriftClientManager-inl.h b/src/common/thrift/ThriftClientManager-inl.h
index fe907bcc7bb..caf0a27f252 100644
--- a/src/common/thrift/ThriftClientManager-inl.h
+++ b/src/common/thrift/ThriftClientManager-inl.h
@@ -6,11 +6,13 @@
 
 #pragma once
 
+#include <folly/io/async/AsyncSSLSocket.h>
 #include <folly/io/async/AsyncSocket.h>
 #include <folly/system/ThreadName.h>
 #include <thrift/lib/cpp2/async/HeaderClientChannel.h>
 
 #include "common/network/NetworkUtils.h"
+#include "common/ssl/SSLConfig.h"
 
 DECLARE_int32(conn_timeout_ms);
 
@@ -71,9 +73,14 @@ std::shared_ptr<ClientType> ThriftClientManager<ClientType>::client(const HostAd
 
   VLOG(2) << "Connecting to " << host << " for " << ++connectionCount << " times";
   std::shared_ptr<folly::AsyncSocket> socket;
-  evb->runImmediatelyOrRunInEventBaseThreadAndWait([&socket, evb, resolved]() {
-    socket =
-        folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
+  evb->runImmediatelyOrRunInEventBaseThreadAndWait([this, &socket, evb, resolved]() {
+    if (enableSSL_) {
+      socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb);
+      socket->connect(nullptr, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
+    } else {
+      socket =
+          folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
+    }
   });
   auto headerClientChannel = apache::thrift::HeaderClientChannel::newChannel(socket);
   if (timeout > 0) {
diff --git a/src/common/thrift/ThriftClientManager.h b/src/common/thrift/ThriftClientManager.h
index da5c16dcaf4..fa23b3678f3 100644
--- a/src/common/thrift/ThriftClientManager.h
+++ b/src/common/thrift/ThriftClientManager.h
@@ -7,6 +7,7 @@
 #ifndef COMMON_THRIFT_THRIFTCLIENTMANAGER_H_
 #define COMMON_THRIFT_THRIFTCLIENTMANAGER_H_
 
+#include <folly/io/async/AsyncSocket.h>
 #include <folly/io/async/EventBaseManager.h>
 
 #include "common/base/Base.h"
@@ -25,7 +26,9 @@ class ThriftClientManager final {
 
   ~ThriftClientManager() { VLOG(3) << "~ThriftClientManager"; }
 
-  ThriftClientManager() { VLOG(3) << "ThriftClientManager"; }
+  explicit ThriftClientManager(bool enableSSL = false) : enableSSL_(enableSSL) {
+    VLOG(3) << "ThriftClientManager";
+  }
 
  private:
   using ClientMap = std::unordered_map<std::pair<HostAddr, folly::EventBase*>,  // <ip, port>
@@ -34,6 +37,8 @@ class ThriftClientManager final {
                                        >;
 
   folly::ThreadLocal<ClientMap> clientMap_;
+  // whether enable ssl
+  bool enableSSL_{false};
 };
 
 }  // namespace thrift
diff --git a/src/daemons/CMakeLists.txt b/src/daemons/CMakeLists.txt
index ce7ec27cb95..f69da66c10f 100644
--- a/src/daemons/CMakeLists.txt
+++ b/src/daemons/CMakeLists.txt
@@ -29,6 +29,7 @@ set(common_deps
     $<TARGET_OBJECTS:agg_function_manager_obj>
     $<TARGET_OBJECTS:time_utils_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 set(storage_meta_deps
diff --git a/src/daemons/GraphDaemon.cpp b/src/daemons/GraphDaemon.cpp
index dccf4a0cae9..4bfee7617e2 100644
--- a/src/daemons/GraphDaemon.cpp
+++ b/src/daemons/GraphDaemon.cpp
@@ -5,6 +5,7 @@
  */
 
 #include <errno.h>
+#include <folly/ssl/Init.h>
 #include <signal.h>
 #include <string.h>
 #include <thrift/lib/cpp2/server/ThriftServer.h>
@@ -15,6 +16,7 @@
 #include "common/fs/FileUtils.h"
 #include "common/network/NetworkUtils.h"
 #include "common/process/ProcessUtils.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/time/TimezoneInfo.h"
 #include "graph/service/GraphFlags.h"
 #include "graph/service/GraphService.h"
@@ -52,6 +54,9 @@ int main(int argc, char *argv[]) {
   }
 
   folly::init(&argc, &argv, true);
+  if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl || FLAGS_enable_meta_ssl) {
+    folly::ssl::init();
+  }
   nebula::initCounters();
 
   if (FLAGS_flagfile.empty()) {
@@ -149,6 +154,9 @@ int main(int argc, char *argv[]) {
   gServer->setIdleTimeout(std::chrono::seconds(FLAGS_client_idle_timeout_secs));
   gServer->setNumAcceptThreads(FLAGS_num_accept_threads);
   gServer->setListenBacklog(FLAGS_listen_backlog);
+  if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl) {
+    gServer->setSSLConfig(nebula::sslContextConfig());
+  }
   setupThreadManager();
 
   // Setup the signal handlers
diff --git a/src/daemons/MetaDaemon.cpp b/src/daemons/MetaDaemon.cpp
index e2c176a8083..9c534951f43 100644
--- a/src/daemons/MetaDaemon.cpp
+++ b/src/daemons/MetaDaemon.cpp
@@ -4,6 +4,7 @@
  * attached with Common Clause Condition 1.0, found in the LICENSES directory.
  */
 
+#include <folly/ssl/Init.h>
 #include <thrift/lib/cpp2/server/ThriftServer.h>
 
 #include "common/base/Base.h"
@@ -12,6 +13,7 @@
 #include "common/hdfs/HdfsHelper.h"
 #include "common/network/NetworkUtils.h"
 #include "common/process/ProcessUtils.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/thread/GenericThreadPool.h"
 #include "common/time/TimezoneInfo.h"
 #include "kvstore/NebulaStore.h"
@@ -204,6 +206,9 @@ int main(int argc, char* argv[]) {
   }
 
   folly::init(&argc, &argv, true);
+  if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
+    folly::ssl::init();
+  }
   if (FLAGS_data_path.empty()) {
     LOG(ERROR) << "Meta Data Path should not empty";
     return EXIT_FAILURE;
@@ -307,6 +312,9 @@ int main(int argc, char* argv[]) {
     gServer->setPort(FLAGS_port);
     gServer->setIdleTimeout(std::chrono::seconds(0));  // No idle timeout on client connection
     gServer->setInterface(std::move(handler));
+    if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
+      gServer->setSSLConfig(nebula::sslContextConfig());
+    }
     gServer->serve();  // Will wait until the server shuts down
   } catch (const std::exception& e) {
     LOG(ERROR) << "Exception thrown: " << e.what();
diff --git a/src/daemons/StorageDaemon.cpp b/src/daemons/StorageDaemon.cpp
index 70b2930cb84..b8f7f933be3 100644
--- a/src/daemons/StorageDaemon.cpp
+++ b/src/daemons/StorageDaemon.cpp
@@ -4,6 +4,7 @@
  * attached with Common Clause Condition 1.0, found in the LICENSES directory.
  */
 
+#include <folly/ssl/Init.h>
 #include <thrift/lib/cpp2/server/ThriftServer.h>
 
 #include "common/base/Base.h"
@@ -69,6 +70,9 @@ int main(int argc, char *argv[]) {
   }
 
   folly::init(&argc, &argv, true);
+  if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
+    folly::ssl::init();
+  }
   if (FLAGS_daemonize) {
     google::SetStderrLogging(google::FATAL);
   } else {
diff --git a/src/graph/context/test/CMakeLists.txt b/src/graph/context/test/CMakeLists.txt
index fc579f8a74a..02d05be1d42 100644
--- a/src/graph/context/test/CMakeLists.txt
+++ b/src/graph/context/test/CMakeLists.txt
@@ -40,6 +40,7 @@ SET(CONTEXT_TEST_LIBS
     $<TARGET_OBJECTS:graph_session_obj>
     $<TARGET_OBJECTS:planner_obj>
     $<TARGET_OBJECTS:idgenerator_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/graph/executor/test/CMakeLists.txt b/src/graph/executor/test/CMakeLists.txt
index c0a8925a452..f78ff4ed0c0 100644
--- a/src/graph/executor/test/CMakeLists.txt
+++ b/src/graph/executor/test/CMakeLists.txt
@@ -47,6 +47,7 @@ SET(EXEC_QUERY_TEST_OBJS
     $<TARGET_OBJECTS:graph_auth_obj>
     $<TARGET_OBJECTS:expr_visitor_obj>
     $<TARGET_OBJECTS:graph_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 SET(EXEC_QUERY_TEST_LIBS
diff --git a/src/graph/optimizer/test/CMakeLists.txt b/src/graph/optimizer/test/CMakeLists.txt
index 7a5ed87dcb6..a1fa426ac72 100644
--- a/src/graph/optimizer/test/CMakeLists.txt
+++ b/src/graph/optimizer/test/CMakeLists.txt
@@ -43,6 +43,7 @@ set(OPTIMIZER_TEST_LIB
     $<TARGET_OBJECTS:graph_context_obj>
     $<TARGET_OBJECTS:validator_obj>
     $<TARGET_OBJECTS:optimizer_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/graph/util/test/CMakeLists.txt b/src/graph/util/test/CMakeLists.txt
index f87291477e9..745ab224efe 100644
--- a/src/graph/util/test/CMakeLists.txt
+++ b/src/graph/util/test/CMakeLists.txt
@@ -32,6 +32,7 @@ nebula_add_test(
         $<TARGET_OBJECTS:ft_es_graph_adapter_obj>
         $<TARGET_OBJECTS:ws_common_obj>
         $<TARGET_OBJECTS:version_obj>
+        $<TARGET_OBJECTS:ssl_obj>
         $<TARGET_OBJECTS:idgenerator_obj>
         $<TARGET_OBJECTS:expr_visitor_obj>
         $<TARGET_OBJECTS:graph_session_obj>
diff --git a/src/graph/validator/test/CMakeLists.txt b/src/graph/validator/test/CMakeLists.txt
index d0b9077c44d..487e7791f4a 100644
--- a/src/graph/validator/test/CMakeLists.txt
+++ b/src/graph/validator/test/CMakeLists.txt
@@ -51,6 +51,7 @@ set(VALIDATOR_TEST_LIBS
     $<TARGET_OBJECTS:ft_es_graph_adapter_obj>
     $<TARGET_OBJECTS:ws_common_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/graph/visitor/test/CMakeLists.txt b/src/graph/visitor/test/CMakeLists.txt
index b5b61c02e28..159e50b613a 100644
--- a/src/graph/visitor/test/CMakeLists.txt
+++ b/src/graph/visitor/test/CMakeLists.txt
@@ -56,6 +56,7 @@ nebula_add_test(
         $<TARGET_OBJECTS:ft_es_graph_adapter_obj>
         $<TARGET_OBJECTS:ws_common_obj>
         $<TARGET_OBJECTS:version_obj>
+        $<TARGET_OBJECTS:ssl_obj>
     LIBRARIES
         gtest
         ${THRIFT_LIBRARIES}
diff --git a/src/kvstore/NebulaStore.h b/src/kvstore/NebulaStore.h
index 306f716827f..562226c171a 100644
--- a/src/kvstore/NebulaStore.h
+++ b/src/kvstore/NebulaStore.h
@@ -11,6 +11,7 @@
 #include <gtest/gtest_prod.h>
 
 #include "common/base/Base.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/utils/Utils.h"
 #include "interface/gen-cpp2/RaftexServiceAsyncClient.h"
 #include "kvstore/DiskManager.h"
@@ -65,7 +66,8 @@ class NebulaStore : public KVStore, public Handler {
         options_(std::move(options)) {
     CHECK_NOTNULL(options_.partMan_);
     clientMan_ =
-        std::make_shared<thrift::ThriftClientManager<raftex::cpp2::RaftexServiceAsyncClient>>();
+        std::make_shared<thrift::ThriftClientManager<raftex::cpp2::RaftexServiceAsyncClient>>(
+            FLAGS_enable_ssl);
   }
 
   ~NebulaStore();
diff --git a/src/kvstore/raftex/RaftexService.cpp b/src/kvstore/raftex/RaftexService.cpp
index e48f545d34e..e8aba1fb432 100644
--- a/src/kvstore/raftex/RaftexService.cpp
+++ b/src/kvstore/raftex/RaftexService.cpp
@@ -9,6 +9,7 @@
 #include <folly/ScopeGuard.h>
 
 #include "common/base/Base.h"
+#include "common/ssl/SSLConfig.h"
 #include "kvstore/raftex/RaftPart.h"
 
 namespace nebula {
@@ -60,6 +61,9 @@ void RaftexService::initThriftServer(std::shared_ptr<folly::IOThreadPoolExecutor
                                      std::shared_ptr<folly::Executor> workers,
                                      uint16_t port) {
   LOG(INFO) << "Init thrift server for raft service, port: " << port;
+  if (FLAGS_enable_ssl) {
+    server_->setSSLConfig(nebula::sslContextConfig());
+  }
   server_->setPort(port);
   server_->setIdleTimeout(std::chrono::seconds(0));
   if (pool != nullptr) {
diff --git a/src/kvstore/raftex/test/CMakeLists.txt b/src/kvstore/raftex/test/CMakeLists.txt
index 0a62fe2cabc..3a0abe49b43 100644
--- a/src/kvstore/raftex/test/CMakeLists.txt
+++ b/src/kvstore/raftex/test/CMakeLists.txt
@@ -10,6 +10,7 @@ set(RAFTEX_TEST_LIBS
     $<TARGET_OBJECTS:network_obj>
     $<TARGET_OBJECTS:thrift_obj>
     $<TARGET_OBJECTS:time_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 
diff --git a/src/kvstore/raftex/test/TestShard.cpp b/src/kvstore/raftex/test/TestShard.cpp
index 7187aa862f9..d7c4683e1b0 100644
--- a/src/kvstore/raftex/test/TestShard.cpp
+++ b/src/kvstore/raftex/test/TestShard.cpp
@@ -7,6 +7,7 @@
 #include "kvstore/raftex/test/TestShard.h"
 
 #include "common/base/Base.h"
+#include "common/ssl/SSLConfig.h"
 #include "kvstore/raftex/Host.h"
 #include "kvstore/raftex/RaftexService.h"
 #include "kvstore/wal/FileBasedWal.h"
@@ -118,7 +119,7 @@ HostAddr decodeRemovePeer(const folly::StringPiece& log) {
 
 std::shared_ptr<thrift::ThriftClientManager<cpp2::RaftexServiceAsyncClient>> getClientMan() {
   static std::shared_ptr<thrift::ThriftClientManager<cpp2::RaftexServiceAsyncClient>> clientMan(
-      new thrift::ThriftClientManager<cpp2::RaftexServiceAsyncClient>());
+      new thrift::ThriftClientManager<cpp2::RaftexServiceAsyncClient>(FLAGS_enable_ssl));
   return clientMan;
 }
 
diff --git a/src/kvstore/test/CMakeLists.txt b/src/kvstore/test/CMakeLists.txt
index 17d043ba6c2..a4d9c040d58 100644
--- a/src/kvstore/test/CMakeLists.txt
+++ b/src/kvstore/test/CMakeLists.txt
@@ -31,6 +31,7 @@ set(KVSTORE_TEST_LIBS
     $<TARGET_OBJECTS:encryption_obj>
     $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/meta/CMakeLists.txt b/src/meta/CMakeLists.txt
index 63e2d75dde1..1738ba20365 100644
--- a/src/meta/CMakeLists.txt
+++ b/src/meta/CMakeLists.txt
@@ -158,6 +158,7 @@ set(meta_test_deps
     $<TARGET_OBJECTS:encryption_obj>
     $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_subdirectory(http)
diff --git a/src/meta/processors/admin/AdminClient.h b/src/meta/processors/admin/AdminClient.h
index c1a3a1bef8a..61ae5157f22 100644
--- a/src/meta/processors/admin/AdminClient.h
+++ b/src/meta/processors/admin/AdminClient.h
@@ -11,6 +11,7 @@
 
 #include "common/base/Base.h"
 #include "common/base/Status.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/thrift/ThriftClientManager.h"
 #include "interface/gen-cpp2/StorageAdminServiceAsyncClient.h"
 #include "kvstore/KVStore.h"
@@ -33,7 +34,8 @@ class AdminClient {
   explicit AdminClient(kvstore::KVStore* kv) : kv_(kv) {
     ioThreadPool_ = std::make_unique<folly::IOThreadPoolExecutor>(10);
     clientsMan_ = std::make_unique<
-        thrift::ThriftClientManager<storage::cpp2::StorageAdminServiceAsyncClient>>();
+        thrift::ThriftClientManager<storage::cpp2::StorageAdminServiceAsyncClient>>(
+        FLAGS_enable_ssl);
   }
 
   virtual ~AdminClient() = default;
diff --git a/src/parser/test/CMakeLists.txt b/src/parser/test/CMakeLists.txt
index 0280f76d346..260722922d4 100644
--- a/src/parser/test/CMakeLists.txt
+++ b/src/parser/test/CMakeLists.txt
@@ -42,6 +42,7 @@ set(PARSER_TEST_LIBS
     $<TARGET_OBJECTS:validator_obj>
     $<TARGET_OBJECTS:idgenerator_obj>
     $<TARGET_OBJECTS:graph_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/storage/StorageServer.cpp b/src/storage/StorageServer.cpp
index 687448f3077..ca5c15f9fa9 100644
--- a/src/storage/StorageServer.cpp
+++ b/src/storage/StorageServer.cpp
@@ -13,6 +13,7 @@
 #include "common/meta/ServerBasedIndexManager.h"
 #include "common/meta/ServerBasedSchemaManager.h"
 #include "common/network/NetworkUtils.h"
+#include "common/ssl/SSLConfig.h"
 #include "common/thread/GenericThreadPool.h"
 #include "common/utils/Utils.h"
 #include "kvstore/PartManager.h"
@@ -182,6 +183,9 @@ bool StorageServer::start() {
       storageServer_->setThreadManager(workers_);
       storageServer_->setStopWorkersOnStopListening(false);
       storageServer_->setInterface(std::move(handler));
+      if (FLAGS_enable_ssl) {
+        storageServer_->setSSLConfig(nebula::sslContextConfig());
+      }
 
       ServiceStatus expected = STATUS_UNINITIALIZED;
       if (!storageSvcStatus_.compare_exchange_strong(expected, STATUS_RUNNING)) {
@@ -208,6 +212,9 @@ bool StorageServer::start() {
       adminServer_->setThreadManager(workers_);
       adminServer_->setStopWorkersOnStopListening(false);
       adminServer_->setInterface(std::move(handler));
+      if (FLAGS_enable_ssl) {
+        adminServer_->setSSLConfig(nebula::sslContextConfig());
+      }
 
       ServiceStatus expected = STATUS_UNINITIALIZED;
       if (!adminSvcStatus_.compare_exchange_strong(expected, STATUS_RUNNING)) {
@@ -234,6 +241,9 @@ bool StorageServer::start() {
       internalStorageServer_->setThreadManager(workers_);
       internalStorageServer_->setStopWorkersOnStopListening(false);
       internalStorageServer_->setInterface(std::move(handler));
+      if (FLAGS_enable_ssl) {
+        internalStorageServer_->setSSLConfig(nebula::sslContextConfig());
+      }
 
       internalStorageSvcStatus_.store(STATUS_RUNNING);
       LOG(INFO) << "The internal storage service start(same with admin) on " << internalAddr;
diff --git a/src/storage/test/CMakeLists.txt b/src/storage/test/CMakeLists.txt
index 1ee64ef9607..8b63074315b 100644
--- a/src/storage/test/CMakeLists.txt
+++ b/src/storage/test/CMakeLists.txt
@@ -47,6 +47,7 @@ set(storage_test_deps
     $<TARGET_OBJECTS:encryption_obj>
     $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_test(
diff --git a/src/tools/db-dump/CMakeLists.txt b/src/tools/db-dump/CMakeLists.txt
index ae25df40ea2..fa4587a52f3 100644
--- a/src/tools/db-dump/CMakeLists.txt
+++ b/src/tools/db-dump/CMakeLists.txt
@@ -43,6 +43,7 @@ set(tools_test_deps
     $<TARGET_OBJECTS:encryption_obj>
     $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_executable(
diff --git a/src/tools/db-upgrade/CMakeLists.txt b/src/tools/db-upgrade/CMakeLists.txt
index 0259465280e..ed036caea97 100644
--- a/src/tools/db-upgrade/CMakeLists.txt
+++ b/src/tools/db-upgrade/CMakeLists.txt
@@ -51,6 +51,7 @@ nebula_add_executable(
         $<TARGET_OBJECTS:encryption_obj>
         $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
         $<TARGET_OBJECTS:version_obj>
+        $<TARGET_OBJECTS:ssl_obj>
     LIBRARIES
         ${ROCKSDB_LIBRARIES}
         ${THRIFT_LIBRARIES}
diff --git a/src/tools/meta-dump/CMakeLists.txt b/src/tools/meta-dump/CMakeLists.txt
index b715015e61f..d6aad52c963 100644
--- a/src/tools/meta-dump/CMakeLists.txt
+++ b/src/tools/meta-dump/CMakeLists.txt
@@ -48,6 +48,7 @@ nebula_add_executable(
         $<TARGET_OBJECTS:encryption_obj>
         $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
         $<TARGET_OBJECTS:version_obj>
+        $<TARGET_OBJECTS:ssl_obj>
     LIBRARIES
         ${ROCKSDB_LIBRARIES}
         ${THRIFT_LIBRARIES}
diff --git a/src/tools/storage-perf/CMakeLists.txt b/src/tools/storage-perf/CMakeLists.txt
index ee298ac6737..94e888f12bd 100644
--- a/src/tools/storage-perf/CMakeLists.txt
+++ b/src/tools/storage-perf/CMakeLists.txt
@@ -43,6 +43,7 @@ set(perf_test_deps
     $<TARGET_OBJECTS:encryption_obj>
     $<TARGET_OBJECTS:ft_es_storage_adapter_obj>
     $<TARGET_OBJECTS:version_obj>
+    $<TARGET_OBJECTS:ssl_obj>
 )
 
 nebula_add_executable(
diff --git a/tests/Makefile b/tests/Makefile
index 36963cbf2c7..79d25120ab7 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -16,6 +16,10 @@ TEST_DIR ?= $(CURR_DIR)
 BUILD_DIR ?= $(CURR_DIR)/../build
 DEBUG ?= true
 J ?= 10
+ENABLE_SSL ?= false
+ENABLE_GRAPH_SSL ?= false
+ENABLE_META_SSL ?= false
+CA_SIGNED ?= false
 
 install-deps:
 	pip3 install --user -U setuptools wheel -i $(PYPI_MIRROR)
@@ -49,7 +53,7 @@ check:
 
 up: clean
 	@mkdir -p $(CURR_DIR)/.pytest
-	PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true
+	PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=start --rm_dir=$(RM_DIR) --build_dir=$(BUILD_DIR) --debug=$(DEBUG) --multi_graphd=true --enable_ssl=$(ENABLE_SSL) --enable_graph_ssl=$(ENABLE_GRAPH_SSL) --enable_meta_ssl=$(ENABLE_META_SSL) --ca_signed=$(CA_SIGNED)
 
 down:
 	PYTHONPATH=$$PYTHONPATH:$(CURR_DIR)/.. $(CURR_DIR)/nebula-test-run.py --cmd=stop --rm_dir=$(RM_DIR)
diff --git a/tests/cert/test.ca.key b/tests/cert/test.ca.key
new file mode 100644
index 00000000000..6006d0f275f
--- /dev/null
+++ b/tests/cert/test.ca.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,6D12ED8559E80FA3
+
+tv9epnwlt4dP6Q5ee0dACOyFA5BTwYTdoMykQRJrKGwfaNeXUXn+sQ/U/oFHp1Wx
+O8VZE+z2aHpiFSTw+Eh6MPt86X5yVG3tpeVO6dErvr8Kd+NpuI8zn7rNoOFRh8wD
+33EFcQMLQPneDl10O18hooIoi0qwp1pd63hYZPwEhB3eOrM5Mnv9OVJs65bzYfyf
+Wku33YWYxeqlDvMCsou8PZnv/M2wYsr7+QoTcNmGKP45igMthMDBzwgF+q0p9ZZU
+N11c6ojAs01kfuqFf3vKfHNYe6zsBiNhnUuEy8enXSxD5E7tR/OI8aEzPLdk7fmN
+/UsMK2LE0Yd5iS3O1x/1ZjSBxJ+M/UzzCO692GTAiD6Hc13iJOavq/vt1mEPjfCD
+neF38Bhb5DfFi+UAHrz6EHMreamGCzP82us2maIs7mSTq7nXDZfbBc7mBDLAUUnT
+J6tlrTyc+DQXzkJa6jmbxJhcsWm6XvjIBEzSXVHxEDPLnZICQk3VXODjCXTD75Rg
+0WaS78Ven7DW8wn07q3VzWAFDKaet3VI+TVTv7EfIavlfiA6LSshaENdFLeHahNE
+s/V/j5K3Pg6+WQcZRgOsfqIwUCSQxY13R6TTdaaCkLay5BggF5iiAO3pkqsJiadf
+w843Ak4USBptymJxoZgJyFtQHpQyNiFfsAbs9BaYbg2evvE7/VQhLk0gQ7HgQMeJ
+wgxEQqZQKDCCSugSzY1YEGXKnrZYCKyipzyyH936mE15zNwhYp/Pi2020+gmtP3h
+CDfcPs1yeLI2/1JuimafbuKsv9xchWa6ASU8p8Q7wTLtUj9ylLKyA4A/75pK0DXG
+Hv/q0O+UfhAMD438SoPBle7RSvIsDU1VjUqstlNybBglBZxGIME7/18+Ms7U32wh
+4xFkZwxT2nqFgyk37tXMdMz9UBh12/AXR9NU4XY37C3Ao2TDT7/0DvU6KdJhsDpv
+rGcaC2zzhko+0CPrLlk52KbqP003JXiWvOSI+FylyPPDB/YGitmndJUuQblf3u/E
+l+tGi9MeSBQeWKV6D3AVnO05AZjfTUzSK0vw4DgNh5YPNJvLy31B7kDAS88vyGI1
+t6MBwjW4/tz/nS/p1Go3mSzBhPkIsCrZE+ar7lH8p8JqkLl4fXIMaVKIfyfJdzyS
+lkh3K7bOGDPegxxxaWdb+EnC7k+1R3EOU7uJFW61HyrGI3q6Y7kOl5aYSJ5Ge1Uv
+PycFWHWVTHq/R7HRE6HIJzGe/PnLIbStXLDFeivjfcYq1YaSaF8Vl+xg+0u3ULOl
+P6IuPTph6dlcgttRZVl3ETcF0T+2wfbUwgjf0ZiguCJfR2jLGhPl1KBg0Kd9cTSY
+zI3YMMd2G8hApt/QFlm4Ry8CqaJUmDcjDNIJT3M+RldUgfz37NsX05cA5e9+I1AL
+2406F/v5U9gWsYx7HuwJtQrDzYYDbl1GD4H+qHFJE5JYhPP4AyWYxJ1NR5dqyvrt
++3r5+xlwZrS76c10RsBWL7th8ZEzRxOZxbtLwbf4bG/tIGfQP2sTnWwA+qym6b2S
+sRduqOTP+xwnhOq/ZKn8lfsDfhT8CPnKHBsd09kM9y/UWuxFe0upLydRLE/Wsb9s
+-----END RSA PRIVATE KEY-----
diff --git a/tests/cert/test.ca.pem b/tests/cert/test.ca.pem
new file mode 100644
index 00000000000..412ba31619d
--- /dev/null
+++ b/tests/cert/test.ca.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEGzCCAwOgAwIBAgIUDcmZFpL4PcdCXfLRBK8bR2vb39cwDQYJKoZIhvcNAQEL
+BQAwgZwxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwI
+SGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9u
+MRYwFAYDVQQDDA1zaHlsb2NrIGh1YW5nMScwJQYJKoZIhvcNAQkBFhhzaHlsb2Nr
+Lmh1YW5nQHZlc29mdC5jb20wHhcNMjEwODE5MDkyNDQ3WhcNMjUwODE4MDkyNDQ3
+WjCBnDELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQHDAhI
+YW5nemhvdTEUMBIGA1UECgwLVmVzb2Z0IEluYy4xEDAOBgNVBAsMB3NlY3Rpb24x
+FjAUBgNVBAMMDXNoeWxvY2sgaHVhbmcxJzAlBgkqhkiG9w0BCQEWGHNoeWxvY2su
+aHVhbmdAdmVzb2Z0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMEAgpamCQHl+8JnUHI6/VmJHjDLYJLTliN/CwpFrhMqIVjJ8wG57WYLpXpn91Lz
+eHu52LkVzcikybIJ2a+LOTvnhNFdbmTbqDtrb+s6wM/sO+nF6tU2Av4e5zhyKoeR
+LL+rHMk3nymohbdN4djySFmOOU5A1O/4b0bZz4Ylu995kUawdiaEo13BzxxOC7Ik
+Gge5RyDcm0uLXZqTAPy5Sjv/zpOyj0AqL1CJUH7XBN9OMRhVU0ZX9nHWl1vgLRld
+J6XT17Y9QbbHhCNEdAmFE5kEFgCvZc+MungUYABlkvoj86TLmC/FMV6fWdxQssyd
+hS+ssfJFLaTDaEFz5a/Tr48CAwEAAaNTMFEwHQYDVR0OBBYEFK0GVrQx+wX1GCHy
+e+6fl4X+prmYMB8GA1UdIwQYMBaAFK0GVrQx+wX1GCHye+6fl4X+prmYMA8GA1Ud
+EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHqP8P+ZUHmngviHLSSN1ln5
+Mx4BCkVeFRUaFx0yFXytV/iLXcG2HpFg3A9rAFoYgCDwi1xpsERnBZ/ShTv/eFOc
+IxBY5yggx3/lGi8tAgvUdarhd7mQO67UJ0V4YU3hAkbnZ8grHHXj+4hfgUpY4ok6
+yaed6HXwknBb9W8N1jZI8ginhkhjaeRCHdMiF+fBvNCtmeR1bCml1Uz7ailrpcaT
+Mf84+5VYuFEnaRZYWFNsWNCOBlJ/6/b3V10vMXzMmYHqz3xgAq0M3fVTFTzopnAX
+DLSzorL/dYVdqEDCQi5XI9YAlgWN4VeGzJI+glkLOCNzHxRNP6Qev+YI+7Uxz6I=
+-----END CERTIFICATE-----
diff --git a/tests/cert/test.ca.srl b/tests/cert/test.ca.srl
new file mode 100644
index 00000000000..877d296b7c1
--- /dev/null
+++ b/tests/cert/test.ca.srl
@@ -0,0 +1 @@
+4AF2EBB941EA7EE8358ECC7E51C2F1A38EE18873
diff --git a/tests/cert/test.derive.crt b/tests/cert/test.derive.crt
new file mode 100644
index 00000000000..8f03073e2ff
--- /dev/null
+++ b/tests/cert/test.derive.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvjCCAqYCFEry67lB6n7oNY7MflHC8aOO4YhzMA0GCSqGSIb3DQEBCwUAMIGc
+MQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6
+aG91MRQwEgYDVQQKDAtWZXNvZnQgSW5jLjEQMA4GA1UECwwHc2VjdGlvbjEWMBQG
+A1UEAwwNc2h5bG9jayBodWFuZzEnMCUGCSqGSIb3DQEJARYYc2h5bG9jay5odWFu
+Z0B2ZXNvZnQuY29tMB4XDTIxMDgyNDEwNTExMloXDTIzMTEyNzEwNTExMlowgZkx
+CzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3po
+b3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQLDAdzZWN0aW9uMRMwEQYD
+VQQDDApTaHlsb2NrIEhnMScwJQYJKoZIhvcNAQkBFhhzaHlsb2NrLmh1YW5nQHZl
+c29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHk1PQtaCG
+S31nvxKuT6pzVQuOsA2hEIDzBZuoBK3blezBB16fjUWG2wHG/r9Oss5YzOly4viL
+1oFLsNdYg27EFH7pcGfdSUmZa6LHILegJTmLa1aB4lRG9EsvPIxNuo637CW2z6EW
+ElVKXn2N1G1vW3fpKGxJ+d1ovaFfBliO0sK+myW+vYdKrNg70WqKKCoCIlIjEWw3
+vQdrmvhuhIBbG1bXkXbJwIepBdb4wGSx8qsgs93I6/je/K/iJaPJIqdH8loo6fSo
+DBUiNA87ZsQdtbBeuk7QuF71SxD5+E8wCMtFMwRGmL0vYMPwkaurKxwEs49e8eTz
+RvIrNtyYgVo7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGBpm5OLXn02kWr1ENU5
+FOOVryD41SCmPy8hLwQ2MCXd446UfTXc5TTlllksaePn373ZANLUe78vUCoVPjOh
+dU5GxyOKtubXovI+yuvMS11u00KtgiAd5qa+IhX3c/P60bh4+fdKZ9ViyLsG+IpQ
++XDYT2uekLyjXXJU6h1raW7M1VY9FcDC63moXz0WgWJ/9tJgB0ZQkVcL+2UpveoZ
+Whf9P0xAzCmNSrR7CMhdeRN2vBQQaHXk/64wkHncdkz/NglVl00rh4MtBKZ6Cqze
+uZvgrxOJNzB4aXBMHO7sWzw1VSfS79CZm4H39hBWGiVEkr3yZYQbboDRY6F5dQyc
+BZc=
+-----END CERTIFICATE-----
diff --git a/tests/cert/test.derive.csr b/tests/cert/test.derive.csr
new file mode 100644
index 00000000000..89b26237ec7
--- /dev/null
+++ b/tests/cert/test.derive.csr
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIDEjCCAfoCAQAwgZkxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhaaGVqaWFuZzER
+MA8GA1UEBwwISGFuZ3pob3UxFDASBgNVBAoMC1Zlc29mdCBJbmMuMRAwDgYDVQQL
+DAdzZWN0aW9uMRMwEQYDVQQDDApTaHlsb2NrIEhnMScwJQYJKoZIhvcNAQkBFhhz
+aHlsb2NrLmh1YW5nQHZlc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDHk1PQtaCGS31nvxKuT6pzVQuOsA2hEIDzBZuoBK3blezBB16fjUWG
+2wHG/r9Oss5YzOly4viL1oFLsNdYg27EFH7pcGfdSUmZa6LHILegJTmLa1aB4lRG
+9EsvPIxNuo637CW2z6EWElVKXn2N1G1vW3fpKGxJ+d1ovaFfBliO0sK+myW+vYdK
+rNg70WqKKCoCIlIjEWw3vQdrmvhuhIBbG1bXkXbJwIepBdb4wGSx8qsgs93I6/je
+/K/iJaPJIqdH8loo6fSoDBUiNA87ZsQdtbBeuk7QuF71SxD5+E8wCMtFMwRGmL0v
+YMPwkaurKxwEs49e8eTzRvIrNtyYgVo7AgMBAAGgMzAVBgkqhkiG9w0BCQcxCAwG
+dmVzb2Z0MBoGCSqGSIb3DQEJAjENDAtWZXNvZnQgSW5jLjANBgkqhkiG9w0BAQsF
+AAOCAQEAjmyCyxziJMR8NILRAwmfYcBB90CbTFMMEyWy402KxoXcyVZBGO2eukIq
+gaF2ywuh6yuTPtGsdVMVTWDQ4RLYpoQoR5Blu+M8Or8rhZSfMYXi79Ne3abSF28E
+eWjBmh2Ys0GtaThlufJBWE+vWPH2iEGrSRTg1fvBLBzAW6nXU2svoTrKfDcEoY5z
+xB0CKhBoewoIZ2FPBmBAnIWHfXR/vQ76QIoNdfQ4nT8iXuLRoNjRlvVU4AUDwKtu
+keRDrnmJ7A5eqTlleCMzra2MAp9Na9gojXlGQP9q9V8nFtSvbjYAoH0ezWpdWj4+
+Rtu9EK4JkDymmmZcneFapExZrRLt0A==
+-----END CERTIFICATE REQUEST-----
diff --git a/tests/cert/test.derive.key b/tests/cert/test.derive.key
new file mode 100644
index 00000000000..a011917b3af
--- /dev/null
+++ b/tests/cert/test.derive.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAx5NT0LWghkt9Z78Srk+qc1ULjrANoRCA8wWbqASt25XswQde
+n41FhtsBxv6/TrLOWMzpcuL4i9aBS7DXWINuxBR+6XBn3UlJmWuixyC3oCU5i2tW
+geJURvRLLzyMTbqOt+wlts+hFhJVSl59jdRtb1t36ShsSfndaL2hXwZYjtLCvpsl
+vr2HSqzYO9FqiigqAiJSIxFsN70Ha5r4boSAWxtW15F2ycCHqQXW+MBksfKrILPd
+yOv43vyv4iWjySKnR/JaKOn0qAwVIjQPO2bEHbWwXrpO0Lhe9UsQ+fhPMAjLRTME
+Rpi9L2DD8JGrqyscBLOPXvHk80byKzbcmIFaOwIDAQABAoIBAEZ50URHjzs9VziW
+sdsaSN/XbXBi3T0+Xbr0BQatOFPtuqBjoNeJBL9dgWArP5Vj8RhMrDekzQ5cnmYD
+OdiI+UmGz1ZSGmt7YOErsFzPQejsnEiOjArryMURqacxo34jXhi27I6E/aaUrMfJ
+XF8EX+zOCSct3ie1c6l0JZMv43/zbzP2vMFEdfnVfZA2Kxo5l3I4rjuxHUEWHzrb
+EgM4a2+y7LQrut75zP9zWEZAqim/VEIEj24Gqj+Vocb6cHlc31KzKaEz7Ra5ha2J
+kN2CQRKCzoMupVL5E6dWMiDVjUyUXdUgjSCIW2H+E1ONgvxA78jJx7+Dzj+/bWxH
+h/vr3dkCgYEA9Aev7PGoGF0eapZY3crehvtCn1v4YLheh0dk4EpbpbEx0rQaG3h7
+YYCf7euxMvoTsKPETHAUG/s/RZV1DNOjxs8GKgEIVaRYEf1VZeDXudtnyKBwCMAL
+5CKHRBvfmNG9n+PpQQlrIAZGej7HU+/IzEVsrD2A5DeH9IVpMNvrX10CgYEA0V1r
+aydbBP+Ma/fiG5UDa8l4GdLzvAoW2cY6ZhQX4NiLTK91MwA/QOQcVMvJAN2KpPHC
+kGDRT7IhMs66cMxl0ImIJ2QSnv8HRNmBBSdUtJx1S6nV2u0VfgP61oNT/YbLR/Jk
+CAIl1qe7Q8IsrMbPxCbt8g+D8Wr9C3pdYYqFvncCgYEAicGdKmDwx3Apr3nYCLxx
+CjnkzhkZCWCK3EsNQyA2xD5XJd7NrhxBajU2ExUuHtzVKK4KLixG7dTTTvCj9u2y
+UpSjoiqbDd2MaftcrfpTTXPyDmujUw02qT5kpaomexpLtWrvTeuHMbjZKEEwPM3r
+yISYaFL/49UFRp/ZVd+P63ECgYAX1B0ctf77A6bUxwK6Buy7wNNlhQful+tf39rX
+sWPCWIMKOFILevS4Cv5afFMlQRG9kjKFwi8wdeKnaLX5jpnr8StI6G/iHr6SDHtN
+vds7Ly9+bBcF8sPmcseC0LGngkbyqljOPIhX9QEwRhJVm88b0R511WQ7/uRMASJN
+rrloIwKBgCxYlu1xvvEuQNoIux/yKAEJ1h4Ta2zc5upjw0uDKMi0UNIbNhgdFOvj
+LuVbxTRU8WktrLNk3T0rsopKsTbEZVg6Yuv8ZLkEiNYTzhUbn2Y5yM3bnoVwyOns
+pTtqmBtvDZxaRCYdIQG3b09IvrewDk26AOtNHdeKw883G2muP/vA
+-----END RSA PRIVATE KEY-----
diff --git a/tests/common/nebula_service.py b/tests/common/nebula_service.py
index fd7531ca12e..13ec5690e4f 100644
--- a/tests/common/nebula_service.py
+++ b/tests/common/nebula_service.py
@@ -60,15 +60,33 @@ def _copy_nebula_conf(self):
         os.makedirs(resources_dir)
         shutil.copy(self.build_dir + '/../resources/gflags.json', resources_dir)
 
-    def _format_nebula_command(self, name, meta_port, ports, debug_log=True):
+        # cert files
+        shutil.copy(self.src_dir + '/tests/cert/test.ca.key',
+                    resources_dir)
+        shutil.copy(self.src_dir + '/tests/cert/test.ca.pem',
+                    resources_dir)
+        shutil.copy(self.src_dir + '/tests/cert/test.derive.key',
+                    resources_dir)
+        shutil.copy(self.src_dir + '/tests/cert/test.derive.crt',
+                    resources_dir)
+
+    def _format_nebula_command(self, name, meta_port, ports, debug_log=True, ca_signed=False):
         params = [
             "--meta_server_addrs={}",
             "--port={}",
             "--ws_http_port={}",
             "--ws_h2_port={}",
             "--heartbeat_interval_secs=1",
-            "--expired_time_factor=60"
+            "--expired_time_factor=60",
         ]
+        if ca_signed:
+            params.append('--ca_path=share/resources/test.ca.pem')
+            params.append('--cert_path=share/resources/test.derive.crt')
+            params.append('--key_path=share/resources/test.derive.key')
+        else:
+            params.append('--cert_path=share/resources/test.ca.pem')
+            params.append('--key_path=share/resources/test.ca.key')
+            
         if name == 'graphd':
             params.append('--local_config=false')
             params.append('--enable_authorize=true')
@@ -151,7 +169,7 @@ def _check_servers_status(self, ports):
             time.sleep(1)
         return False
 
-    def start(self, debug_log=True, multi_graphd=False):
+    def start(self, debug_log=True, multi_graphd=False, enable_ssl=False, enable_graph_ssl=False, enable_meta_ssl=False, ca_signed=False):
         os.chdir(self.work_dir)
 
         metad_ports = self._find_free_port()
@@ -184,10 +202,14 @@ def start(self, debug_log=True, multi_graphd=False):
             command = self._format_nebula_command(new_name,
                                                   metad_ports[0],
                                                   ports,
-                                                  debug_log)
+                                                  debug_log,
+                                                  ca_signed=ca_signed)
             if server_name == 'graphd1':
                 command += ' --log_dir=logs1'
                 command += ' --pid_file=pids1/nebula-graphd.pid'
+            command += ' --enable_ssl={}'.format(enable_ssl)
+            command += ' --enable_graph_ssl={}'.format(enable_graph_ssl)
+            command += ' --enable_meta_ssl={}'.format(enable_meta_ssl)
             print("exec: " + command)
             p = subprocess.Popen([command], shell=True, stdout=subprocess.PIPE)
             p.wait()
diff --git a/tests/nebula-test-run.py b/tests/nebula-test-run.py
index 1b38d3cba14..0399a3b2139 100755
--- a/tests/nebula-test-run.py
+++ b/tests/nebula-test-run.py
@@ -52,6 +52,22 @@ def init_parser():
                           dest='debug',
                           default=True,
                           help='Print verbose debug logs')
+    opt_parser.add_option('--enable_ssl',
+                          dest='enable_ssl',
+                          default=False,
+                          help='Whether enable SSL for cluster.')
+    opt_parser.add_option('--enable_graph_ssl',
+                          dest='enable_graph_ssl',
+                          default=False,
+                          help='Whether enable SSL for graph server.')
+    opt_parser.add_option('--enable_meta_ssl',
+                          dest='enable_meta_ssl',
+                          default=False,
+                          help='Whether enable SSL for meta server.')
+    opt_parser.add_option('--ca_signed',
+                          dest='ca_signed',
+                          default=False,
+                          help='Whether enable CA signed SSL/TLS mode.')
     return opt_parser
 
 
@@ -70,7 +86,7 @@ def start_nebula(nb, configs):
         nb.install()
         address = "localhost"
         debug = opt_is(configs.debug, "true")
-        ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd)
+        ports = nb.start(debug_log=debug, multi_graphd=configs.multi_graphd, enable_ssl=configs.enable_ssl, enable_graph_ssl=configs.enable_graph_ssl, enable_meta_ssl=configs.enable_meta_ssl, ca_signed=configs.ca_signed)
 
     # Load csv data
     pool = get_conn_pool(address, ports[0])