diff --git a/src/pkg/builder/job_builder.go b/src/pkg/builder/job_builder.go
index 7604a2a..d168970 100644
--- a/src/pkg/builder/job_builder.go
+++ b/src/pkg/builder/job_builder.go
@@ -67,6 +67,18 @@ func (b *Builder) BuildInitJob(zitadel *zitadelv1alpha1.ZitadelCluster, key type
 									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY",
 									Value: "/certs/tls.key",
 								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT",
+									Value: "/certs/ca.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT",
+									Value: "/certs/tls.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY",
+									Value: "/certs/tls.key",
+								},
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{Name: "zitadel-config-yaml", MountPath: "/config"},
@@ -150,6 +162,19 @@ func (b *Builder) BuildSetupJob(zitadel *zitadelv1alpha1.ZitadelCluster, key typ
 									Name:  "ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY",
 									Value: "/certs/tls.key",
 								},
+
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT",
+									Value: "/certs/ca.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT",
+									Value: "/certs/tls.crt",
+								},
+								{
+									Name:  "ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY",
+									Value: "/certs/tls.key",
+								},
 							},
 							VolumeMounts: []corev1.VolumeMount{
 								{Name: "zitadel-config-yaml", MountPath: "/config"},
diff --git a/src/pkg/controller/configmap/controller.go b/src/pkg/controller/configmap/controller.go
index ec35f80..aaf6841 100644
--- a/src/pkg/controller/configmap/controller.go
+++ b/src/pkg/controller/configmap/controller.go
@@ -33,6 +33,9 @@ func (r *ConfigMapReconciler) ReconcileZitadelConfiguration(ctx context.Context,
 Database:
   Cockroach:
     Host: %s
+    User:
+     SSL:
+       Mode: require
     Admin:
      SSL:
        Mode: require