diff --git a/rds-postgres/primary-instance/main.tf b/rds-postgres/primary-instance/main.tf
index ab2e91d..06d1dac 100644
--- a/rds-postgres/primary-instance/main.tf
+++ b/rds-postgres/primary-instance/main.tf
@@ -4,6 +4,7 @@ resource "aws_db_instance" "this" {
   auto_minor_version_upgrade      = var.auto_minor_version_upgrade
   backup_retention_period         = var.backup_retention_period
   backup_window                   = var.backup_window
+  ca_cert_identifier              = var.ca_cert_id
   db_subnet_group_name            = local.subnet_group_name
   enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
   engine                          = var.engine
diff --git a/rds-postgres/primary-instance/variables.tf b/rds-postgres/primary-instance/variables.tf
index 376175e..304a6b7 100644
--- a/rds-postgres/primary-instance/variables.tf
+++ b/rds-postgres/primary-instance/variables.tf
@@ -35,6 +35,12 @@ variable "backup_window" {
   default     = null
 }
 
+variable "ca_cert_id" {
+  type        = string
+  description = "Certificate authority for RDS database"
+  default     = "rds-ca-rsa2048-g1"
+}
+
 variable "create_default_db" {
   type        = bool
   description = "Set to false to disable creating a default database"
diff --git a/rds-postgres/replica/main.tf b/rds-postgres/replica/main.tf
index b551600..1ede48c 100644
--- a/rds-postgres/replica/main.tf
+++ b/rds-postgres/replica/main.tf
@@ -1,6 +1,7 @@
 resource "aws_db_instance" "this" {
   allocated_storage            = var.allocated_storage
   apply_immediately            = var.apply_immediately
+  ca_cert_identifier           = var.ca_cert_id
   db_subnet_group_name         = var.subnet_group_name
   identifier                   = var.identifier
   instance_class               = var.instance_class
diff --git a/rds-postgres/replica/variables.tf b/rds-postgres/replica/variables.tf
index eca782e..b9635fb 100644
--- a/rds-postgres/replica/variables.tf
+++ b/rds-postgres/replica/variables.tf
@@ -9,6 +9,12 @@ variable "apply_immediately" {
   default     = false
 }
 
+variable "ca_cert_id" {
+  type        = string
+  description = "Certificate authority for RDS database"
+  default     = "rds-ca-rsa2048-g1"
+}
+
 variable "engine_version" {
   type        = string
   description = "Version for RDS database engine"