diff --git a/weed/command/scaffold/filer.toml b/weed/command/scaffold/filer.toml
index a685d50d8..41c44e092 100644
--- a/weed/command/scaffold/filer.toml
+++ b/weed/command/scaffold/filer.toml
@@ -186,6 +186,12 @@ hosts = [
 ]
 username = ""
 password = ""
+# Set the CA certificate path
+tls_ca_file=""
+# Set the client certificate path
+tls_client_crt_file=""
+# Set the client private key path
+tls_client_key_file=""
 # This changes the data layout. Only add new directories. Removing/Updating will cause data loss.
 superLargeDirectories = []
 # Name of the datacenter local to this filer, used as host selection fallback.
diff --git a/weed/filer/cassandra2/cassandra_store.go b/weed/filer/cassandra2/cassandra_store.go
index 7ce3d32c1..2260d32a1 100644
--- a/weed/filer/cassandra2/cassandra_store.go
+++ b/weed/filer/cassandra2/cassandra_store.go
@@ -34,6 +34,9 @@ func (store *Cassandra2Store) Initialize(configuration util.Configuration, prefi
 		configuration.GetStringSlice(prefix+"hosts"),
 		configuration.GetString(prefix+"username"),
 		configuration.GetString(prefix+"password"),
+		configuration.GetString(prefix+"tls_ca_file"),
+		configuration.GetString(prefix+"tls_client_crt_file"),
+		configuration.GetString(prefix+"tls_client_key_file"),
 		configuration.GetStringSlice(prefix+"superLargeDirectories"),
 		configuration.GetString(prefix+"localDC"),
 		configuration.GetInt(prefix+"connection_timeout_millisecond"),
@@ -45,11 +48,19 @@ func (store *Cassandra2Store) isSuperLargeDirectory(dir string) (dirHash string,
 	return
 }
 
-func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, superLargeDirectories []string, localDC string, timeout int) (err error) {
+func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, tlsCaFile string, tlsClientCrtFile string, tlsClientKeyFile string, superLargeDirectories []string, localDC string, timeout int) (err error) {
 	store.cluster = gocql.NewCluster(hosts...)
 	if username != "" && password != "" {
 		store.cluster.Authenticator = gocql.PasswordAuthenticator{Username: username, Password: password}
 	}
+	if tlsCaFile != "" || tlsClientCrtFile != "" || tlsClientKeyFile != "" {
+		store.cluster.SslOpts = &gocql.SslOptions{
+			CaPath:                 tlsCaFile,
+			CertPath:               tlsClientCrtFile,
+			KeyPath:                tlsClientKeyFile,
+			EnableHostVerification: true,
+		}
+	}
 	store.cluster.Keyspace = keyspace
 	store.cluster.Timeout = time.Duration(timeout) * time.Millisecond
 	glog.V(0).Infof("timeout = %d", timeout)