diff --git a/ydb/library/yql/providers/common/proto/gateways_config.proto b/ydb/library/yql/providers/common/proto/gateways_config.proto
index fb845b8cee7b..db2781f6e13f 100644
--- a/ydb/library/yql/providers/common/proto/gateways_config.proto
+++ b/ydb/library/yql/providers/common/proto/gateways_config.proto
@@ -592,9 +592,11 @@ message TGenericClusterConfig {
 message TGenericConnectorConfig {
     // Connector instance network endpoint
     optional NYql.NConnector.NApi.TEndpoint Endpoint = 3;
-    // If true, GRPC Client will use TLS encryption.
-    // Server cert will be verified with system CA cert pool.
+    // If true, Connector GRPC Client will use TLS encryption.
     optional bool UseSsl = 4;
+    // Path to the custom CA certificate to verify Connector's certs.
+    // If empty, the default system CA certificate pool will be used.
+    optional string SslCaCrt = 5;
 
     reserved 1, 2;
 }
diff --git a/ydb/library/yql/providers/generic/connector/libcpp/client.cpp b/ydb/library/yql/providers/generic/connector/libcpp/client.cpp
index 9d6237808377..e0fe558b7ae1 100644
--- a/ydb/library/yql/providers/generic/connector/libcpp/client.cpp
+++ b/ydb/library/yql/providers/generic/connector/libcpp/client.cpp
@@ -1,3 +1,5 @@
+#include <util/stream/file.h>
+
 #include "client.h"
 
 namespace NYql::NConnector {
@@ -21,10 +23,18 @@ namespace NYql::NConnector {
     public:
         TClientGRPC() = delete;
         TClientGRPC(const TGenericConnectorConfig& config) {
-            TString endpoint = TStringBuilder() << config.GetEndpoint().host() << ":" << ToString(config.GetEndpoint().port());
-            GrpcConfig_ = NYdbGrpc::TGRpcClientConfig(endpoint);
+            GrpcConfig_ = NYdbGrpc::TGRpcClientConfig();
+            GrpcConfig_.Locator = TStringBuilder() << config.GetEndpoint().host() << ":" << config.GetEndpoint().port();
             GrpcConfig_.EnableSsl = config.GetUseSsl();
 
+            // Read content of CA cert
+            TString rootCertData;
+            if (config.GetSslCaCrt()) {
+                rootCertData = TFileInput(config.GetSslCaCrt()).ReadAll();
+            }
+
+            GrpcConfig_.SslCredentials = grpc::SslCredentialsOptions{.pem_root_certs = rootCertData, .pem_private_key = "", .pem_cert_chain = ""};
+
             GrpcClient_ = std::make_unique<NYdbGrpc::TGRpcClientLow>();
 
             // FIXME: is it OK to use single connection during the client lifetime?