diff --git a/pgbouncer/kubedb_client_builder.go b/pgbouncer/kubedb_client_builder.go
index e3a4606f..c837828c 100644
--- a/pgbouncer/kubedb_client_builder.go
+++ b/pgbouncer/kubedb_client_builder.go
@@ -19,7 +19,6 @@ package pgbouncer
 import (
 	"context"
 	"fmt"
-
 	api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
 
 	_ "github.com/lib/pq"
@@ -195,6 +194,7 @@ func (o *KubeDBClientBuilder) getTLSConfig() (*certholder.Paths, error) {
 		klog.Error(err, "failed to get certificate secret.", secretName)
 		return nil, err
 	}
+	err = o.setCACert(certSecret)
 
 	certs, _ := certholder.DefaultHolder.ForResource(api.SchemeGroupVersion.WithResource(api.ResourcePluralPgBouncer), o.pgbouncer.ObjectMeta)
 	paths, err := certs.Save(certSecret)
@@ -240,6 +240,18 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
 	return connector, nil
 }
 
+func (o *KubeDBClientBuilder) setCACert(certSecret *core.Secret) error {
+	secretName := o.pgbouncer.GetCertSecretName(api.PgBouncerClientCert)
+	secretNamespace := o.pgbouncer.Namespace
+	pgbouncerSecret := &core.Secret{}
+	err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: secretNamespace, Name: secretName}, pgbouncerSecret)
+	if err != nil {
+		return err
+	}
+	certSecret.Data[core.ServiceAccountRootCAKey] = pgbouncerSecret.Data[core.ServiceAccountRootCAKey]
+	return nil
+}
+
 func GetXormClientList(kc client.Client, pb *api.PgBouncer, ctx context.Context, auth *Auth, dbName string) (*XormClientList, error) {
 	clientlist := &XormClientList{
 		List: []*XormClient{},