diff --git a/dev/config/custom-environment-variables.js b/dev/config/custom-environment-variables.js
index ccc58643a8a5c182e8c273dd594b72fe0cbc3391..b96cd1029c2c4f6aaed5145c59e8bffd14516202 100644
--- a/dev/config/custom-environment-variables.js
+++ b/dev/config/custom-environment-variables.js
@@ -14,12 +14,7 @@ module.exports = {
       __name: 'POSTGRES_ALLOW_SELF_SIGNED_CERTIFICATES',
       __format: 'json',
     },
-    // ssl: {
-    //   rejectUnauthorized: {
-    //     __name: 'POSTGRES_ALLOW_SELF_SIGNED_CERTIFICATES',
-    //     __format: 'json',
-    //   },
-    // },
+    caCert: 'POSTGRES_CA_CERT',
   },
   serverUrl: 'SERVER_URL',
   fileStorage: {
diff --git a/src/db/connectionConfig.js b/src/db/connectionConfig.js
index 6e7228a493101b0464eb42d59ab07e60278d4549..94e10fd6076a20ef09e414431ed38b1baeb62a06 100644
--- a/src/db/connectionConfig.js
+++ b/src/db/connectionConfig.js
@@ -1,7 +1,8 @@
 const config = require('config')
 
 const getDbConnectionConfig = () => {
-  const { allowSelfSignedCertificates, ...connectionConfig } = config.get('db')
+  const { allowSelfSignedCertificates, caCert, ...connectionConfig } =
+    config.get('db')
 
   // clone to get around an issue of knex deleting password from the original object
   const connection = { ...connectionConfig }
@@ -11,6 +12,20 @@ const getDbConnectionConfig = () => {
     connection.ssl.rejectUnauthorized = false
   }
 
+  if (caCert) {
+    if (!connection.ssl) connection.ssl = {}
+    connection.ssl.rejectUnauthorized = true
+
+    /**
+     * The value of the env variable should be the base64 encoded crt file.
+     * eg. the result of `base64 -w0 ca-certificate.crt`
+     * It gets decoded here. This is to prevent issues with newlines when trying
+     * to pass the contents of a cert file as an environment variable in some
+     * deployment environments.
+     */
+    connection.ssl.ca = Buffer.from(caCert, 'base64').toString('utf-8')
+  }
+
   return connection
 }