diff --git a/features/config-create.feature b/features/config-create.feature
index 54ee9518..536f1859 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -242,3 +242,16 @@ Feature: Create a wp-config file
       """
       PasswordWith'SingleQuotes'
       """
+
+  @require-mysql @require-mysql-5.7
+  Scenario: Configure with required SSL connection
+    Given an empty directory
+    And WP files
+    And I run `MYSQL_PWD='{DB_ROOT_PASSWORD}' MYSQL_HOST='{MYSQL_HOST}' MYSQL_TCP_PORT='{MYSQL_PORT}' mysql -u root -e "CREATE USER IF NOT EXISTS 'wp_cli_test_ssl'@'%' IDENTIFIED BY 'password2' REQUIRE SSL;"`
+
+    When I try `wp config create --dbhost=127.0.0.1 --dbname=wp_cli_test --dbuser=wp_cli_test_ssl --dbpass=password2 --ssl`
+    Then the return code should be 0
+    And the wp-config.php file should contain:
+      """
+      define( 'DB_USER', 'wp_cli_test_ssl' )
+      """
diff --git a/src/Config_Command.php b/src/Config_Command.php
index 133f162a..5b76aba0 100644
--- a/src/Config_Command.php
+++ b/src/Config_Command.php
@@ -166,6 +166,9 @@ private static function get_initial_locale() {
 	 * [--insecure]
 	 * : Retry API download without certificate validation if TLS handshake fails. Note: This makes the request vulnerable to a MITM attack.
 	 *
+	 * [--ssl]
+	 * : Use SSL when checking the database connection.
+	 *
 	 * ## EXAMPLES
 	 *
 	 *     # Standard wp-config.php file
@@ -201,6 +204,7 @@ public function create( $_, $assoc_args ) {
 			'dbcollate'   => '',
 			'locale'      => self::get_initial_locale(),
 			'config-file' => rtrim( ABSPATH, '/\\' ) . '/wp-config.php',
+			'ssl'         => false,
 		];
 		$assoc_args = array_merge( $defaults, $assoc_args );
 		if ( empty( $assoc_args['dbprefix'] ) ) {
@@ -231,12 +235,18 @@ public function create( $_, $assoc_args ) {
 					$host   = substr( $host, 0, $socket_pos );
 				}
 
+				$flags = 0;
+
+				if ( $assoc_args['ssl'] ) {
+					$flags = MYSQLI_CLIENT_SSL;
+				}
+
 				if ( file_exists( $socket ) ) {
 					// If dbhost is a path to a socket
-					mysqli_real_connect( $mysql, null, $assoc_args['dbuser'], $assoc_args['dbpass'], null, null, $socket );
+					mysqli_real_connect( $mysql, null, $assoc_args['dbuser'], $assoc_args['dbpass'], null, null, $socket, $flags );
 				} else {
 					// If dbhost is a hostname or IP address
-					mysqli_real_connect( $mysql, $host, $assoc_args['dbuser'], $assoc_args['dbpass'] );
+					mysqli_real_connect( $mysql, $host, $assoc_args['dbuser'], $assoc_args['dbpass'], null, null, null, $flags );
 				}
 			} catch ( mysqli_sql_exception $exception ) {
 				WP_CLI::error( 'Database connection error (' . $exception->getCode() . ') ' . $exception->getMessage() );