diff --git a/pgbouncer/kubedb_client_builder.go b/pgbouncer/kubedb_client_builder.go
index 3397befe..3d11d168 100644
--- a/pgbouncer/kubedb_client_builder.go
+++ b/pgbouncer/kubedb_client_builder.go
@@ -27,6 +27,7 @@ import (
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
+	"kmodules.xyz/client-go/tools/certholder"
 	appbinding "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"xorm.io/xorm"
@@ -34,7 +35,6 @@ import (
 
 const (
 	DefaultBackendDBType = "postgres"
-	TLSModeDisable       = "disable"
 )
 
 type Auth struct {
@@ -171,6 +171,25 @@ func (o *KubeDBClientBuilder) getBackendAuth() (string, string, error) {
 	return string(user), string(pass), nil
 }
 
+func (o *KubeDBClientBuilder) getTLSConfig(ctx context.Context) (*certholder.Paths, error) {
+	secretName := o.pgbouncer.GetCertSecretName(dbapi.PgBouncerClientCert)
+
+	var certSecret core.Secret
+	err := o.kc.Get(ctx, client.ObjectKey{Namespace: o.pgbouncer.Namespace, Name: secretName}, &certSecret)
+	if err != nil {
+		klog.Error(err, "failed to get certificate secret.", secretName)
+		return nil, err
+	}
+
+	certs, _ := certholder.DefaultHolder.ForResource(dbapi.SchemeGroupVersion.WithResource(dbapi.ResourcePluralPgBouncer), o.pgbouncer.ObjectMeta)
+	paths, err := certs.Save(&certSecret)
+	if err != nil {
+		klog.Error(err, "failed to save certificate")
+		return nil, err
+	}
+	return paths, nil
+}
+
 func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
 	user, pass, err := o.getBackendAuth()
 	if err != nil {
@@ -185,8 +204,25 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
 	if o.pbContainerPort != nil {
 		listeningPort = int(*o.pbContainerPort)
 	}
-	// TODO ssl mode is disable now need to work on this after adding tls support
-	connector := fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s", user, pass, o.url, listeningPort, o.backendDBName, TLSModeDisable)
+
+	sslMode := o.pgbouncer.Spec.SSLMode
+	if sslMode == "" {
+		sslMode = dbapi.PgBouncerSSLModeDisable
+	}
+	connector := ""
+	if o.pgbouncer.Spec.TLS != nil {
+		paths, err := o.getTLSConfig(o.ctx)
+		if err != nil {
+			return "", err
+		}
+		if o.pgbouncer.Spec.ConnectionPool.AuthType == dbapi.PgBouncerClientAuthModeCert || o.pgbouncer.Spec.SSLMode == dbapi.PgBouncerSSLModeVerifyCA || o.pgbouncer.Spec.SSLMode == dbapi.PgBouncerSSLModeVerifyFull {
+			connector = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s sslrootcert=%s sslcert=%s sslkey=%s", user, pass, o.url, listeningPort, o.backendDBName, sslMode, paths.CACert, paths.Cert, paths.Key)
+		} else {
+			connector = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s sslrootcert=%s", user, pass, o.url, listeningPort, o.backendDBName, sslMode, paths.CACert)
+		}
+	} else {
+		connector = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s", user, pass, o.url, listeningPort, o.backendDBName, sslMode)
+	}
 	return connector, nil
 }