feat(storage): tls connection support (#4233)

This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options.
2022-10-22 19:27:59 +11:00 · 2022-10-22 19:27:59 +11:00 · 69c4c02d03
parent 1ea29cb2c2
commit 69c4c02d03
13 changed files with 934 additions and 140 deletions
--- a/config.template.yml
+++ b/config.template.yml
@ -304,18 +304,22 @@ authentication_backend:
    # start_tls: false
    # tls:
-      ## Server Name for certificate validation (in case it's not set correctly in the URL).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host portion of the url option.
      # server_name: ldap.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
-      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
+      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
-      ## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
+      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
@ -717,12 +721,16 @@ session:
    ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
    # tls:
-      ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: myredis.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
@ -882,6 +890,99 @@ regulation:
    # password: mypassword
    # timeout: 5s
    ## MySQL TLS settings. Configuring this requires TLS.
    # tls:
      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: mysql.example.com
      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
        ## The certificate chain used with the private_key if the server requests TLS Client Authentication
        ## i.e. Mutual TLS.
        # certificate_chain: |
          # -----BEGIN CERTIFICATE-----
          # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
          # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
          # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
          # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
          # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
          # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
          # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
          # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
          # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
          # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
          # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
          # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
          # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
          # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
          # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
          # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
          # -----END CERTIFICATE-----
          # -----BEGIN CERTIFICATE-----
          # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
          # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
          # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
          # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
          # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
          # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
          # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
          # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
          # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
          # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
          # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
          # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
          # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
          # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
          # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
          # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
          # qocikt3WAdU^invalid DO NOT USE=
          # -----END CERTIFICATE-----
        ## The private key used with the certificate_chain if the server requests TLS Client Authentication
        ## i.e. Mutual TLS.
        # private_key: |
          #  -----BEGIN RSA PRIVATE KEY-----
          # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
          # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
          # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
          # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
          # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
          # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
          # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
          # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
          # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
          # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
          # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
          # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
          # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
          # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
          # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
          # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
          # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
          # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
          # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
          # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
          # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
          # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
          # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
          # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
          # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
          # DO NOT USE==
          # -----END RSA PRIVATE KEY-----
  ##
  ## PostgreSQL (Storage Provider)
  ##
@ -894,11 +995,99 @@ regulation:
    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
    # password: mypassword
    # timeout: 5s
-    # ssl:
+
-      # mode: disable
+    ## PostgreSQL TLS settings. Configuring this requires TLS.
-      # root_certificate: disable
+    # tls:
-      # certificate: disable
+      ## The server subject name to check the servers certificate against during the validation process.
-      # key: disable
+      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: postgres.example.com
      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
      ## i.e. Mutual TLS.
      # certificate_chain: |
        # -----BEGIN CERTIFICATE-----
        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
        # -----END CERTIFICATE-----
        # -----BEGIN CERTIFICATE-----
        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
        # qocikt3WAdU^invalid DO NOT USE=
        # -----END CERTIFICATE-----
      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
      ## i.e. Mutual TLS.
      # private_key: |
        #  -----BEGIN RSA PRIVATE KEY-----
        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
        # DO NOT USE==
        # -----END RSA PRIVATE KEY-----
 ##
 ## Notification Provider
@ -966,18 +1155,22 @@ notifier:
    # disable_html_emails: false
    # tls:
-      ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: smtp.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
-      ## Minimum TLS version for either StartTLS or SMTPS.
+      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
-      ## Maximum TLS version for either StartTLS or SMTPS.
+      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
--- a/docs/content/en/configuration/storage/mysql.md
+++ b/docs/content/en/configuration/storage/mysql.md
@ -17,12 +17,12 @@ aliases:
 ## Version support
-When using MySQL or MariaDB we recommend using the latest version that is officially supported by the MySQL or MariaDB
+When using [MySQL] or [MariaDB] we recommend using the latest version that is officially supported by the [MySQL] or
-developers. We also suggest checking out [PostgreSQL](postgres.md) as an alternative.
+[MariaDB] developers. We also suggest checking out [PostgreSQL](postgres.md) as an alternative.
-The oldest versions that have been tested are MySQL 5.7 and MariaDB 10.6.
+The oldest versions that have been tested are [MySQL] 5.7 and [MariaDB] 10.6.
-If using MySQL 5.7 or MariaDB 10.6 you may be required to adjust the `explicit_defaults_for_timestamp` setting. This
+If using [MySQL] 5.7 or [MariaDB] 10.6 you may be required to adjust the `explicit_defaults_for_timestamp` setting. This
 will be evident when the container starts with an error similar to `Error 1067: Invalid default value for 'exp'`. You
 can adjust this setting in the mysql.cnf file like so:
@ -43,6 +43,78 @@ storage:
    username: authelia
    password: mypassword
    timeout: 5s
    tls:
      server_name: mysql.example.com
      skip_verify: false
      minimum_version: TLS1.2
      maximum_version: TLS1.3
      certificate_chain: |
        -----BEGIN CERTIFICATE-----
        MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
        EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
        /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
        LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
        91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
        kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
        Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
        AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
        AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
        /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
        lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
        wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
        OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
        ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
        EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
        zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
        5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
        kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
        ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
        Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
        AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
        Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
        kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
        71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
        HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
        D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
        2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
        qocikt3WAdU^invalid DO NOT USE=
        -----END CERTIFICATE-----
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
        T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
        KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
        +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
        LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
        txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
        aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
        Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
        ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
        LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
        jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
        BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
        Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
        R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
        tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
        ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
        lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
        6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
        fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
        9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
        jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
        rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
        n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
        yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
        27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
        DO NOT USE==
        -----END RSA PRIVATE KEY-----
 ```
 ## Options
@ -65,7 +137,7 @@ storage:
    host: "[fd00:1111:2222:3333::1]"
 ```
-If utilizing a unix socket it must have the `unix:` prefix:
+If utilizing a unix socket it must have the `/` prefix:
 ```yaml
 storage:
@ -110,3 +182,11 @@ characters and the user password is changed to this value.
 {{< confkey type="duration" default="5s" required="no" >}}
 The SQL connection timeout.
 ### tls
 If defined enables connecting to [MySQL] or [MariaDB] over a TLS socket, and additionally controls the TLS connection
 validation process. You can see how to configure the tls section [here](../prologue/common.md#tls-configuration).
 [MySQL]: https://www.mysql.com/
 [MariaDB]: https://mariadb.org/
--- a/docs/content/en/configuration/storage/postgres.md
+++ b/docs/content/en/configuration/storage/postgres.md
@ -16,10 +16,10 @@ aliases:
 ## Version support
-See [PostgreSQL support](https://www.postgresql.org/support/versioning/) for the versions supported by PostgreSQL. We
+See [PostgreSQL support](https://www.postgresql.org/support/versioning/) for the versions supported by [PostgreSQL]. We
-recommend the *current minor* version of one of the versions supported by PostgreSQL.
+recommend the *current minor* version of one of the versions supported by [PostgreSQL].
-The versions of PostgreSQL that should be supported by Authelia are:
+The versions of [PostgreSQL] that should be supported by Authelia are:
 * 14
 * 13
@ -40,11 +40,78 @@ storage:
    schema: public
    username: authelia
    password: mypassword
-    ssl:
+    tls:
-      mode: disable
+      server_name: psotgres.example.com
-      root_certificate: /path/to/root_cert.pem
+      skip_verify: false
-      certificate: /path/to/cert.pem
+      minimum_version: TLS1.2
-      key: /path/to/key.pem
+      maximum_version: TLS1.3
      certificate_chain: |
        -----BEGIN CERTIFICATE-----
        MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
        EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
        /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
        LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
        91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
        kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
        Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
        AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
        AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
        /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
        lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
        wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
        OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
        ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
        EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
        zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
        5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
        kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
        ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
        Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
        AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
        Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
        kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
        71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
        HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
        D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
        2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
        qocikt3WAdU^invalid DO NOT USE=
        -----END CERTIFICATE-----
      private_key: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
        T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
        KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
        +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
        LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
        txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
        aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
        Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
        ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
        LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
        jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
        BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
        Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
        R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
        tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
        ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
        lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
        6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
        fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
        9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
        jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
        rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
        n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
        yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
        27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
        DO NOT USE==
        -----END RSA PRIVATE KEY-----
 ```
 ## Options
@ -67,7 +134,7 @@ storage:
    host: "[fd00:1111:2222:3333::1]"
 ```
-If utilizing a unix socket it must have the `unix:` prefix:
+If utilizing a unix socket it must have the `/` prefix:
 ```yaml
 storage:
@ -120,32 +187,9 @@ characters and the user password is changed to this value.
 The SQL connection timeout.
-### ssl
+### tls
-#### mode
+If defined enables connecting to [PostgreSQL] over a TLS socket, and additionally controls the TLS connection
 validation process. You can see how to configure the tls section [here](../prologue/common.md#tls-configuration).
-{{< confkey type="string" default="disable" required="no" >}}
+[PostgreSQL]: https://www.postgresql.org/
 SSL mode configures how to handle SSL connections with Postgres.
 Valid options are 'disable', 'require', 'verify-ca', or 'verify-full'.
 See the [PostgreSQL Documentation](https://www.postgresql.org/docs/12/libpq-ssl.html)
 or [pgx - PostgreSQL Driver and Toolkit Documentation](https://pkg.go.dev/github.com/jackc/pgx?tab=doc)
 for more information.
 #### root_certificate
 {{< confkey type="string" required="no" >}}
 The optional location of the root certificate file encoded in the PEM format for validation purposes.
 #### certificate
 {{< confkey type="string" required="no" >}}
 The optional location of the certificate file encoded in the PEM format for validation purposes.
 #### key
 {{< confkey type="string" required="no" >}}
 The optional location of the key file encoded in the PEM format for authentication purposes.
--- a/docs/data/configkeys.json
+++ b/docs/data/configkeys.json
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@ -304,18 +304,22 @@ authentication_backend:
    # start_tls: false
    # tls:
-      ## Server Name for certificate validation (in case it's not set correctly in the URL).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host portion of the url option.
      # server_name: ldap.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
-      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
+      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
-      ## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
+      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
@ -717,12 +721,16 @@ session:
    ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
    # tls:
-      ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: myredis.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
@ -882,6 +890,99 @@ regulation:
    # password: mypassword
    # timeout: 5s
    ## MySQL TLS settings. Configuring this requires TLS.
    # tls:
      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: mysql.example.com
      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
        ## The certificate chain used with the private_key if the server requests TLS Client Authentication
        ## i.e. Mutual TLS.
        # certificate_chain: |
          # -----BEGIN CERTIFICATE-----
          # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
          # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
          # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
          # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
          # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
          # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
          # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
          # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
          # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
          # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
          # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
          # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
          # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
          # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
          # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
          # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
          # -----END CERTIFICATE-----
          # -----BEGIN CERTIFICATE-----
          # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
          # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
          # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
          # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
          # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
          # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
          # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
          # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
          # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
          # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
          # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
          # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
          # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
          # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
          # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
          # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
          # qocikt3WAdU^invalid DO NOT USE=
          # -----END CERTIFICATE-----
        ## The private key used with the certificate_chain if the server requests TLS Client Authentication
        ## i.e. Mutual TLS.
        # private_key: |
          #  -----BEGIN RSA PRIVATE KEY-----
          # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
          # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
          # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
          # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
          # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
          # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
          # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
          # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
          # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
          # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
          # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
          # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
          # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
          # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
          # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
          # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
          # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
          # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
          # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
          # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
          # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
          # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
          # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
          # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
          # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
          # DO NOT USE==
          # -----END RSA PRIVATE KEY-----
  ##
  ## PostgreSQL (Storage Provider)
  ##
@ -894,11 +995,99 @@ regulation:
    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
    # password: mypassword
    # timeout: 5s
-    # ssl:
+
-      # mode: disable
+    ## PostgreSQL TLS settings. Configuring this requires TLS.
-      # root_certificate: disable
+    # tls:
-      # certificate: disable
+      ## The server subject name to check the servers certificate against during the validation process.
-      # key: disable
+      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: postgres.example.com
      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
      ## i.e. Mutual TLS.
      # certificate_chain: |
        # -----BEGIN CERTIFICATE-----
        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
        # -----END CERTIFICATE-----
        # -----BEGIN CERTIFICATE-----
        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
        # qocikt3WAdU^invalid DO NOT USE=
        # -----END CERTIFICATE-----
      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
      ## i.e. Mutual TLS.
      # private_key: |
        #  -----BEGIN RSA PRIVATE KEY-----
        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
        # DO NOT USE==
        # -----END RSA PRIVATE KEY-----
 ##
 ## Notification Provider
@ -966,18 +1155,22 @@ notifier:
    # disable_html_emails: false
    # tls:
-      ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+      ## The server subject name to check the servers certificate against during the validation process.
      ## This option is not required if the certificate has a SAN which matches the host option.
      # server_name: smtp.example.com
-      ## Skip verifying the server certificate (to allow a self-signed certificate).
+      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+      ## defined by the `certificates_directory` option at the top of the configuration.
      ## It's important to note the public key should be added to the directory, not the private key.
      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
      ## important to the administrator.
      # skip_verify: false
-      ## Minimum TLS version for either StartTLS or SMTPS.
+      ## Minimum TLS version for the connection.
      # minimum_version: TLS1.2
-      ## Maximum TLS version for either StartTLS or SMTPS.
+      ## Maximum TLS version for the connection.
      # maximum_version: TLS1.3
      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
--- a/internal/configuration/schema/keys.go
+++ b/internal/configuration/schema/keys.go
@ -174,6 +174,12 @@ var Keys = []string{
 	"storage.mysql.username",
 	"storage.mysql.password",
 	"storage.mysql.timeout",
 	"storage.mysql.tls.minimum_version",
 	"storage.mysql.tls.maximum_version",
 	"storage.mysql.tls.skip_verify",
 	"storage.mysql.tls.server_name",
 	"storage.mysql.tls.private_key",
 	"storage.mysql.tls.certificate_chain",
 	"storage.postgres.host",
 	"storage.postgres.port",
 	"storage.postgres.database",
@ -181,6 +187,12 @@ var Keys = []string{
 	"storage.postgres.password",
 	"storage.postgres.timeout",
 	"storage.postgres.schema",
 	"storage.postgres.tls.minimum_version",
 	"storage.postgres.tls.maximum_version",
 	"storage.postgres.tls.skip_verify",
 	"storage.postgres.tls.server_name",
 	"storage.postgres.tls.private_key",
 	"storage.postgres.tls.certificate_chain",
 	"storage.postgres.ssl.mode",
 	"storage.postgres.ssl.root_certificate",
 	"storage.postgres.ssl.certificate",
--- a/internal/configuration/schema/storage.go
+++ b/internal/configuration/schema/storage.go
@ -1,6 +1,9 @@
 package schema
-import "time"
+import (
 	"crypto/tls"
 	"time"
 )
 // LocalStorageConfiguration represents the configuration when using local storage.
 type LocalStorageConfiguration struct {
@ -20,6 +23,8 @@ type SQLStorageConfiguration struct {
 // MySQLStorageConfiguration represents the configuration of a MySQL database.
 type MySQLStorageConfiguration struct {
 	SQLStorageConfiguration `koanf:",squash"`
 	TLS *TLSConfig `koanf:"tls"`
 }
 // PostgreSQLStorageConfiguration represents the configuration of a PostgreSQL database.
@ -27,7 +32,9 @@ type PostgreSQLStorageConfiguration struct {
 	SQLStorageConfiguration `koanf:",squash"`
 	Schema                  string `koanf:"schema"`
-	SSL PostgreSQLSSLStorageConfiguration `koanf:"ssl"`
+	TLS *TLSConfig `koanf:"tls"`
 	SSL *PostgreSQLSSLStorageConfiguration `koanf:"ssl"`
 }
 // PostgreSQLSSLStorageConfiguration represents the SSL configuration of a PostgreSQL database.
@ -52,10 +59,20 @@ var DefaultSQLStorageConfiguration = SQLStorageConfiguration{
 	Timeout: 5 * time.Second,
 }
 // DefaultMySQLStorageConfiguration represents the default MySQL configuration.
 var DefaultMySQLStorageConfiguration = MySQLStorageConfiguration{
 	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
 }
 // DefaultPostgreSQLStorageConfiguration represents the default PostgreSQL configuration.
 var DefaultPostgreSQLStorageConfiguration = PostgreSQLStorageConfiguration{
 	Schema: "public",
-	SSL: PostgreSQLSSLStorageConfiguration{
+	TLS: &TLSConfig{
 		MinimumVersion: TLSVersion{tls.VersionTLS12},
 	},
 	SSL: &PostgreSQLSSLStorageConfiguration{
 		Mode: "disable",
 	},
 }
--- a/internal/configuration/validator/const.go
+++ b/internal/configuration/validator/const.go
@ -126,7 +126,10 @@ const (
 	errStrStorageEncryptionKeyTooShort            = "storage: option 'encryption_key' must be 20 characters or longer"
 	errFmtStorageUserPassMustBeProvided           = "storage: %s: option 'username' and 'password' are required" //nolint:gosec
 	errFmtStorageOptionMustBeProvided             = "storage: %s: option '%s' is required"
 	errFmtStorageTLSConfigInvalid                 = "storage: %s: tls: %w"
 	errFmtStoragePostgreSQLInvalidSSLMode         = "storage: postgres: ssl: option 'mode' must be one of '%s' but it is configured as '%s'"
 	errFmtStoragePostgreSQLInvalidSSLAndTLSConfig = "storage: postgres: can't define both 'tls' and 'ssl' configuration options"
 	warnFmtStoragePostgreSQLInvalidSSLDeprecated  = "storage: postgres: ssl: the ssl configuration options are deprecated and we recommend the tls options instead"
 )
 // Telemetry Error constants.
--- a/internal/configuration/validator/storage.go
+++ b/internal/configuration/validator/storage.go
@ -17,7 +17,7 @@ func ValidateStorage(config schema.StorageConfiguration, validator *schema.Struc
 	switch {
 	case config.MySQL != nil:
-		validateSQLConfiguration(&config.MySQL.SQLStorageConfiguration, validator, "mysql")
+		validateMySQLConfiguration(config.MySQL, validator)
 	case config.PostgreSQL != nil:
 		validatePostgreSQLConfiguration(config.PostgreSQL, validator)
 	case config.Local != nil:
@ -49,6 +49,22 @@ func validateSQLConfiguration(config *schema.SQLStorageConfiguration, validator
 	}
 }
 func validateMySQLConfiguration(config *schema.MySQLStorageConfiguration, validator *schema.StructValidator) {
 	validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "mysql")
 	if config.TLS != nil {
 		configDefaultTLS := &schema.TLSConfig{
 			ServerName:     config.Host,
 			MinimumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MinimumVersion,
 			MaximumVersion: schema.DefaultMySQLStorageConfiguration.TLS.MaximumVersion,
 		}
 		if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
 			validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "mysql", err))
 		}
 	}
 }
 func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfiguration, validator *schema.StructValidator) {
 	validateSQLConfiguration(&config.SQLStorageConfiguration, validator, "postgres")
@ -56,11 +72,29 @@ func validatePostgreSQLConfiguration(config *schema.PostgreSQLStorageConfigurati
 		config.Schema = schema.DefaultPostgreSQLStorageConfiguration.Schema
 	}
-	if config.SSL.Mode == "" {
+	switch {
 	case config.TLS != nil && config.SSL != nil:
 		validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLAndTLSConfig))
 	case config.TLS != nil:
 		configDefaultTLS := &schema.TLSConfig{
 			ServerName:     config.Host,
 			MinimumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MinimumVersion,
 			MaximumVersion: schema.DefaultPostgreSQLStorageConfiguration.TLS.MaximumVersion,
 		}
 		if err := ValidateTLSConfig(config.TLS, configDefaultTLS); err != nil {
 			validator.Push(fmt.Errorf(errFmtStorageTLSConfigInvalid, "postgres", err))
 		}
 	case config.SSL != nil:
 		validator.PushWarning(fmt.Errorf(warnFmtStoragePostgreSQLInvalidSSLDeprecated))
 		switch {
 		case config.SSL.Mode == "":
 			config.SSL.Mode = schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode
-	} else if !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes) {
+		case !utils.IsStringInSlice(config.SSL.Mode, validStoragePostgreSQLSSLModes):
 			validator.Push(fmt.Errorf(errFmtStoragePostgreSQLInvalidSSLMode, strings.Join(validStoragePostgreSQLSSLModes, "', '"), config.SSL.Mode))
 		}
 	}
 }
 func validateLocalStorageConfiguration(config *schema.LocalStorageConfiguration, validator *schema.StructValidator) {
--- a/internal/configuration/validator/storage_test.go
+++ b/internal/configuration/validator/storage_test.go
@ -1,6 +1,7 @@
 package validator
 import (
 	"crypto/tls"
 	"testing"
 	"github.com/stretchr/testify/suite"
@ -79,6 +80,70 @@ func (suite *StorageSuite) TestShouldValidateMySQLHostUsernamePasswordAndDatabas
 	suite.Require().Len(suite.validator.Errors(), 0)
 }
 func (suite *StorageSuite) TestShouldSetDefaultMySQLTLSServerName() {
 	suite.config.MySQL = &schema.MySQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "mysql1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS12},
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 	suite.Assert().Equal(suite.config.MySQL.Host, suite.config.MySQL.TLS.ServerName)
 }
 func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidMySQLTLSVersion() {
 	suite.config.MySQL = &schema.MySQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionSSL30}, //nolint:staticcheck
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: mysql: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
 }
 func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidMySQLTLSMinVersionGreaterThanMaximum() {
 	suite.config.MySQL = &schema.MySQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
 			MaximumVersion: schema.TLSVersion{Value: tls.VersionTLS11},
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: mysql: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.1")
 }
 func (suite *StorageSuite) TestShouldValidatePostgreSQLHostUsernamePasswordAndDatabaseAreProvided() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{}
 	suite.config.MySQL = nil
@ -104,7 +169,7 @@ func (suite *StorageSuite) TestShouldValidatePostgreSQLHostUsernamePasswordAndDa
 	suite.Assert().Len(suite.validator.Errors(), 0)
 }
-func (suite *StorageSuite) TestShouldValidatePostgresSSLModeAndSchemaDefaults() {
+func (suite *StorageSuite) TestShouldValidatePostgresSchemaDefault() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
@ -119,10 +184,140 @@ func (suite *StorageSuite) TestShouldValidatePostgresSSLModeAndSchemaDefaults()
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
-	suite.Assert().Equal("disable", suite.config.PostgreSQL.SSL.Mode)
+	suite.Assert().Nil(suite.config.PostgreSQL.SSL)
 	suite.Assert().Nil(suite.config.PostgreSQL.TLS)
 	suite.Assert().Equal("public", suite.config.PostgreSQL.Schema)
 }
 func (suite *StorageSuite) TestShouldValidatePostgresTLSDefaults() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 	suite.Assert().Nil(suite.config.PostgreSQL.SSL)
 	suite.Require().NotNil(suite.config.PostgreSQL.TLS)
 	suite.Assert().Equal(uint16(tls.VersionTLS12), suite.config.PostgreSQL.TLS.MinimumVersion.Value)
 }
 func (suite *StorageSuite) TestShouldSetDefaultPostgreSQLTLSServerName() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "mysql1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS12},
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 	suite.Assert().Equal(suite.config.PostgreSQL.Host, suite.config.PostgreSQL.TLS.ServerName)
 }
 func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidPostgreSQLTLSVersion() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionSSL30}, //nolint:staticcheck
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: tls: option 'minimum_version' is invalid: minimum version is TLS1.0 but SSL3.0 was configured")
 }
 func (suite *StorageSuite) TestShouldRaiseErrorOnInvalidPostgreSQLMinVersionGreaterThanMaximum() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		TLS: &schema.TLSConfig{
 			MinimumVersion: schema.TLSVersion{Value: tls.VersionTLS13},
 			MaximumVersion: schema.TLSVersion{Value: tls.VersionTLS11},
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: tls: option combination of 'minimum_version' and 'maximum_version' is invalid: minimum version TLS1.3 is greater than the maximum version TLS1.1")
 }
 func (suite *StorageSuite) TestShouldValidatePostgresSSLDefaults() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		SSL: &schema.PostgreSQLSSLStorageConfiguration{},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 1)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 	suite.Assert().NotNil(suite.config.PostgreSQL.SSL)
 	suite.Require().Nil(suite.config.PostgreSQL.TLS)
 	suite.Assert().Equal(schema.DefaultPostgreSQLStorageConfiguration.SSL.Mode, suite.config.PostgreSQL.SSL.Mode)
 }
 func (suite *StorageSuite) TestShouldRaiseErrorOnTLSAndLegacySSL() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
 			Host:     "db1",
 			Username: "myuser",
 			Password: "pass",
 			Database: "database",
 		},
 		SSL: &schema.PostgreSQLSSLStorageConfiguration{},
 		TLS: &schema.TLSConfig{},
 	}
 	ValidateStorage(suite.config, suite.validator)
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: can't define both 'tls' and 'ssl' configuration options")
 }
 func (suite *StorageSuite) TestShouldValidatePostgresDefaultsDontOverrideConfiguration() {
 	suite.config.PostgreSQL = &schema.PostgreSQLStorageConfiguration{
 		SQLStorageConfiguration: schema.SQLStorageConfiguration{
@ -132,18 +327,20 @@ func (suite *StorageSuite) TestShouldValidatePostgresDefaultsDontOverrideConfigu
 			Database: "database",
 		},
 		Schema: "authelia",
-		SSL: schema.PostgreSQLSSLStorageConfiguration{
+		SSL: &schema.PostgreSQLSSLStorageConfiguration{
 			Mode: "require",
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
-	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Warnings(), 1)
 	suite.Assert().Len(suite.validator.Errors(), 0)
 	suite.Assert().Equal("require", suite.config.PostgreSQL.SSL.Mode)
 	suite.Assert().Equal("authelia", suite.config.PostgreSQL.Schema)
 	suite.Assert().EqualError(suite.validator.Warnings()[0], "storage: postgres: ssl: the ssl configuration options are deprecated and we recommend the tls options instead")
 }
 func (suite *StorageSuite) TestShouldValidatePostgresSSLModeMustBeValid() {
@ -154,14 +351,14 @@ func (suite *StorageSuite) TestShouldValidatePostgresSSLModeMustBeValid() {
 			Password: "pass",
 			Database: "database",
 		},
-		SSL: schema.PostgreSQLSSLStorageConfiguration{
+		SSL: &schema.PostgreSQLSSLStorageConfiguration{
 			Mode: "unknown",
 		},
 	}
 	ValidateStorage(suite.config, suite.validator)
-	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Assert().Len(suite.validator.Warnings(), 1)
 	suite.Require().Len(suite.validator.Errors(), 1)
 	suite.Assert().EqualError(suite.validator.Errors()[0], "storage: postgres: ssl: option 'mode' must be one of 'disable', 'require', 'verify-ca', 'verify-full' but it is configured as 'unknown'")
 }
--- a/internal/storage/sql_provider_backend_mysql.go
+++ b/internal/storage/sql_provider_backend_mysql.go
@ -9,6 +9,7 @@ import (
 	"github.com/go-sql-driver/mysql"
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
 // MySQLProvider is a MySQL provider.
@ -19,7 +20,7 @@ type MySQLProvider struct {
 // NewMySQLProvider a MySQL provider.
 func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (provider *MySQLProvider) {
 	provider = &MySQLProvider{
-		SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL)),
+		SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL, caCertPool)),
 	}
 	// All providers have differing SELECT existing table statements.
@ -31,7 +32,7 @@ func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (
 	return provider
 }
-func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string) {
+func dsnMySQL(config *schema.MySQLStorageConfiguration, caCertPool *x509.CertPool) (dataSourceName string) {
 	dsnConfig := mysql.NewConfig()
 	switch {
@ -46,6 +47,12 @@ func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string)
 		dsnConfig.Addr = fmt.Sprintf("%s:%d", config.Host, config.Port)
 	}
 	if config.TLS != nil {
 		_ = mysql.RegisterTLSConfig("storage", utils.NewTLSConfig(config.TLS, caCertPool))
 		dsnConfig.TLSConfig = "storage"
 	}
 	switch config.Port {
 	case 0:
 		dsnConfig.Addr = config.Host
--- a/internal/storage/sql_provider_backend_postgres.go
+++ b/internal/storage/sql_provider_backend_postgres.go
@ -12,6 +12,7 @@ import (
 	"github.com/jackc/pgx/v5/stdlib"
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
 // PostgreSQLProvider is a PostgreSQL provider.
@ -135,42 +136,12 @@ func NewPostgreSQLProvider(config *schema.Configuration, caCertPool *x509.CertPo
 func dsnPostgreSQL(config *schema.PostgreSQLStorageConfiguration, globalCACertPool *x509.CertPool) (dsn string) {
 	dsnConfig, _ := pgx.ParseConfig("")
 	ca, certs := loadPostgreSQLLegacyTLS(config)
 	switch config.SSL.Mode {
 	case "disable":
 		break
 	default:
 		var caCertPool *x509.CertPool
 		switch ca {
 		case nil:
 			caCertPool = globalCACertPool
 		default:
 			caCertPool = globalCACertPool.Clone()
 			caCertPool.AddCert(ca)
 		}
 		dsnConfig.TLSConfig = &tls.Config{
 			Certificates:       certs,
 			RootCAs:            caCertPool,
 			InsecureSkipVerify: true, //nolint:gosec
 		}
 		switch {
 		case config.SSL.Mode == "require" && config.SSL.RootCertificate != "" || config.SSL.Mode == "verify-ca":
 			dsnConfig.TLSConfig.VerifyPeerCertificate = newPostgreSQLVerifyCAFunc(dsnConfig.TLSConfig)
 		case config.SSL.Mode == "verify-full":
 			dsnConfig.TLSConfig.InsecureSkipVerify = false
 			dsnConfig.TLSConfig.ServerName = config.Host
 		}
 	}
 	dsnConfig.Host = config.Host
 	dsnConfig.Port = uint16(config.Port)
 	dsnConfig.Database = config.Database
 	dsnConfig.User = config.Username
 	dsnConfig.Password = config.Password
 	dsnConfig.TLSConfig = loadPostgreSQLTLSConfig(config, globalCACertPool)
 	dsnConfig.ConnectTimeout = config.Timeout
 	dsnConfig.RuntimeParams = map[string]string{
 		"search_path": config.Schema,
@ -183,7 +154,50 @@ func dsnPostgreSQL(config *schema.PostgreSQLStorageConfiguration, globalCACertPo
 	return stdlib.RegisterConnConfig(dsnConfig)
 }
-func loadPostgreSQLLegacyTLS(config *schema.PostgreSQLStorageConfiguration) (ca *x509.Certificate, certs []tls.Certificate) {
+func loadPostgreSQLTLSConfig(config *schema.PostgreSQLStorageConfiguration, globalCACertPool *x509.CertPool) (tlsConfig *tls.Config) {
 	if config.TLS == nil && config.SSL == nil {
 		return nil
 	}
 	if config.TLS != nil {
 		return utils.NewTLSConfig(config.TLS, globalCACertPool)
 	}
 	ca, certs := loadPostgreSQLLegacyTLSConfig(config)
 	switch config.SSL.Mode {
 	case "disable":
 		return nil
 	default:
 		var caCertPool *x509.CertPool
 		switch ca {
 		case nil:
 			caCertPool = globalCACertPool
 		default:
 			caCertPool = globalCACertPool.Clone()
 			caCertPool.AddCert(ca)
 		}
 		tlsConfig = &tls.Config{
 			Certificates:       certs,
 			RootCAs:            caCertPool,
 			InsecureSkipVerify: true, //nolint:gosec
 		}
 		switch {
 		case config.SSL.Mode == "require" && config.SSL.RootCertificate != "" || config.SSL.Mode == "verify-ca":
 			tlsConfig.VerifyPeerCertificate = newPostgreSQLVerifyCAFunc(tlsConfig)
 		case config.SSL.Mode == "verify-full":
 			tlsConfig.InsecureSkipVerify = false
 			tlsConfig.ServerName = config.Host
 		}
 	}
 	return tlsConfig
 }
 func loadPostgreSQLLegacyTLSConfig(config *schema.PostgreSQLStorageConfiguration) (ca *x509.Certificate, certs []tls.Certificate) {
 	var (
 		err error
 	)
--- a/internal/utils/crypto.go
+++ b/internal/utils/crypto.go
@ -235,7 +235,7 @@ func IsX509PrivateKey(i any) bool {
 }
 // NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
-func NewTLSConfig(config *schema.TLSConfig, certPool *x509.CertPool) (tlsConfig *tls.Config) {
+func NewTLSConfig(config *schema.TLSConfig, caCertPool *x509.CertPool) (tlsConfig *tls.Config) {
 	var certificates []tls.Certificate
 	if config.CertificateChain.HasCertificates() && config.PrivateKey != nil {
@ -253,7 +253,7 @@ func NewTLSConfig(config *schema.TLSConfig, certPool *x509.CertPool) (tlsConfig
 		InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
 		MinVersion:         config.MinimumVersion.MinVersion(),
 		MaxVersion:         config.MinimumVersion.MaxVersion(),
-		RootCAs:            certPool,
+		RootCAs:            caCertPool,
 		Certificates:       certificates,
 	}
 }