diff --git a/manifests/config.pp b/manifests/config.pp
index 94dc1f5c2..eb089a194 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -61,14 +61,14 @@
   }
 
   $db_context = {
-    'managed'   => $foreman::db_manage,
-    'rails_env' => $foreman::rails_env,
-    'host'      => $foreman::db_host,
-    'port'      => $foreman::db_port,
-    'sslmode'   => $foreman::db_sslmode_real,
-    'database'  => $foreman::db_database,
-    'username'  => $foreman::db_username,
-    'password'  => $foreman::db_password,
+    'managed'       => $foreman::db_manage,
+    'rails_env'     => $foreman::rails_env,
+    'host'          => $foreman::db_host,
+    'port'          => $foreman::db_port,
+    'sslmode'       => $foreman::db_sslmode_real,
+    'database'      => $foreman::db_database,
+    'username'      => $foreman::db_username,
+    'password'      => $foreman::db_password,
     # Set the pool size to at least the amount of puma threads + 4 threads that are spawned automatically by the process.
     # db_pool is optional, and undef means "use default" and the second part of the max statement will be set.
     # The number 4 is for 4 threads that are spawned internally during the execution:
@@ -77,7 +77,8 @@
     # 3. Stomp listener (required by Katello)
     # 4. Puma server listener thread
     # This means for systems without Katello we can reduce the amount of the pool to puma_threads_max + 1
-    'db_pool'   => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4),
+    'db_pool'       => pick($foreman::db_pool, $foreman::foreman_service_puma_threads_max + 4),
+    'extra_options' => $foreman::db_extra_options,
   }
 
   file { '/etc/foreman/database.yml':
diff --git a/manifests/init.pp b/manifests/init.pp
index a3dde8393..4e65ba82d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -87,6 +87,9 @@
 # $db_pool::                      Database 'production' size of connection pool. If the value is not set, it will be
 #                                 set by default to the amount of puma threads + 4 (for internal system threads)
 #
+# $db_extra_options::             Database 'production' extra options. Can be used for extra options, not made
+#                                 available by the above db_* parameters.
+#
 # $db_manage_rake::               if enabled, will run rake jobs, which depend on the database
 #
 # $server_port::                  Defines Apache port for HTTP requests
@@ -230,6 +233,7 @@
   Optional[String[1]] $db_sslmode = undef,
   Optional[String[1]] $db_root_cert = undef,
   Optional[Integer[0]] $db_pool = undef,
+  Hash[String[1], Variant[String, Integer]] $db_extra_options = {},
   Boolean $db_manage_rake = true,
   Stdlib::Port $server_port = 80,
   Stdlib::Port $server_ssl_port = 443,
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index a43c95235..349df3d33 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -201,6 +201,7 @@
             db_password: 'secret',
             db_sslmode: 'prefer',
             db_pool: 9,
+            db_extra_options: { 'target_session_attrs': 'read-write' },
             db_manage_rake: true,
             server_port: 80,
             server_ssl_port: 443,
@@ -485,6 +486,30 @@
 
         it { should contain_user('foreman').with('groups' => []) }
       end
+
+      # used to establish an encrypted connection to postgresl with a client certificate
+      describe 'with db_sslmode & db_extra_options'do
+        let :params do
+          {
+            db_sslmode: 'verify-full',
+            db_extra_options: {
+              sslrootcert: '/etc/pki/root.crt',
+              sslcert: '/etc/pki/localhost.crt',
+              sslkey: '/etc/pki/localhost.key'
+            }
+          }
+        end
+        it 'should configure the database' do
+          should contain_file('/etc/foreman/database.yml')
+            .with_owner('root')
+            .with_group('foreman')
+            .with_mode('0640')
+            .with_content(/sslmode: verify-full/)
+            .with_content(/sslrootcert: "\/etc\/pki\/root\.crt"/)
+            .with_content(/sslcert: "\/etc\/pki\/localhost\.crt"/)
+            .with_content(/sslkey: "\/etc\/pki\/localhost\.key"/)
+        end
+      end
     end
   end
 end
diff --git a/templates/database.yml.epp b/templates/database.yml.epp
index 444cdfd10..f73ae84bc 100644
--- a/templates/database.yml.epp
+++ b/templates/database.yml.epp
@@ -8,6 +8,7 @@
   Optional[String[1]] $username,
   Variant[Undef, String[1], Sensitive[String[1]]] $password,
   Integer[0] $db_pool,
+  Hash[String[1], Variant[String, Integer]] $extra_options,
 | -%>
 ---
 <%= template('foreman/_header.erb') %>
@@ -33,3 +34,6 @@
   password: <%= stdlib::to_ruby($password) %>
 <% } -%>
   pool: <%= $db_pool %>
+<% $extra_options.each |$k, $v| { -%>
+  <%= $k %>: <%= stdlib::to_ruby($v) %>
+<% } -%>