diff --git a/etc/emqx.conf b/etc/emqx.conf
index 35861d77e..55d889deb 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -114,6 +114,22 @@ cluster.autoclean = 5m
 ## Default: 1m, 1 minute
 ## cluster.etcd.node_ttl = 1m
 
+## Path to a file containing the client's private PEM-encoded key.
+##
+## Value: File
+## cluster.etcd.ssl.keyfile = {{ platform_etc_dir }}/certs/client-key.pem
+
+## The path to a file containing the client's certificate.
+##
+## Value: File
+## cluster.etcd.ssl.certfile = {{ platform_etc_dir }}/certs/client.pem
+
+## Path to the file containing PEM-encoded CA certificates. The CA certificates
+## are used during server authentication and when building the client certificate chain.
+##
+## Value: File
+## cluster.etcd.ssl.cacertfile = {{ platform_etc_dir }}/certs/ca.pem
+
 ##--------------------------------------------------------------------
 ## Cluster using Kubernates
 
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 8a97984f6..e6944ba79 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -105,6 +105,18 @@
   {default, "1m"}
 ]}.
 
+{mapping, "cluster.etcd.ssl.keyfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
+{mapping, "cluster.etcd.ssl.certfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
+{mapping, "cluster.etcd.ssl.cacertfile", "ekka.cluster_discovery", [
+  {datatype, string}
+]}.
+
 %%--------------------------------------------------------------------
 %% Cluster on K8s
 
@@ -149,9 +161,16 @@
                  [{name, cuttlefish:conf_get("cluster.dns.name", Conf)},
                   {app, cuttlefish:conf_get("cluster.dns.app", Conf)}];
                (etcd) ->
+                 SslOpts = fun(Conf) ->
+                              Options = cuttlefish_variable:filter_by_prefix("cluster.etcd.ssl", Conf),
+                              lists:map(fun({["cluster", "etcd", "ssl", Name], Value}) ->
+                                            {list_to_atom(Name), Value}
+                                        end, Options)
+                            end,
                  [{server, string:tokens(cuttlefish:conf_get("cluster.etcd.server", Conf), ",")},
                   {prefix, cuttlefish:conf_get("cluster.etcd.prefix", Conf, "emqcl")},
-                  {node_ttl, cuttlefish:conf_get("cluster.etcd.node_ttl", Conf, 60)}];
+                  {node_ttl, cuttlefish:conf_get("cluster.etcd.node_ttl", Conf, 60)},
+                  {ssl_options, SslOpts(Conf)}];
                (k8s) ->
                  [{apiserver, cuttlefish:conf_get("cluster.k8s.apiserver", Conf)},
                   {service_name, cuttlefish:conf_get("cluster.k8s.service_name", Conf)},
@@ -2106,4 +2125,4 @@ end}.
   [{check_interval, cuttlefish:conf_get("vm_mon.check_interval", Conf)},
    {process_high_watermark, cuttlefish:conf_get("vm_mon.process_high_watermark", Conf)},
    {process_low_watermark, cuttlefish:conf_get("vm_mon.process_low_watermark", Conf)}]
-end}.
+end}.
\ No newline at end of file