diff --git a/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs b/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs
index 013d5ad247..b22003ceae 100644
--- a/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs
+++ b/src/ServiceControl.Audit.Persistence.RavenDB/RavenPersistenceConfiguration.cs
@@ -14,6 +14,7 @@ public class RavenPersistenceConfiguration : IPersistenceConfiguration
         public const string ConnectionStringKey = "RavenDB/ConnectionString";
         public const string ClientCertificatePathKey = "RavenDB/ClientCertificatePath";
         public const string ClientCertificateBase64Key = "RavenDB/ClientCertificateBase64";
+        public const string ClientCertificatePasswordKey = "RavenDB/ClientCertificatePassword";
         public const string DatabaseMaintenancePortKey = "DatabaseMaintenancePort";
         public const string ExpirationProcessTimerInSecondsKey = "ExpirationProcessTimerInSeconds";
         public const string LogPathKey = "LogPath";
@@ -28,6 +29,7 @@ public class RavenPersistenceConfiguration : IPersistenceConfiguration
             ConnectionStringKey,
             ClientCertificatePathKey,
             ClientCertificateBase64Key,
+            ClientCertificatePasswordKey,
             DatabaseMaintenancePortKey,
             ExpirationProcessTimerInSecondsKey,
             LogPathKey,
@@ -72,6 +74,10 @@ internal static DatabaseConfiguration GetDatabaseConfiguration(PersistenceSettin
                 {
                     serverConfiguration.ClientCertificateBase64 = clientCertificateBase64;
                 }
+                if (settings.PersisterSpecificSettings.TryGetValue(ClientCertificatePasswordKey, out var clientCertificatePassword))
+                {
+                    serverConfiguration.ClientCertificatePassword = clientCertificatePassword;
+                }
             }
             else
             {
diff --git a/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs b/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs
index 2637504f5d..ef4255849a 100644
--- a/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs
+++ b/src/ServiceControl.Audit.Persistence.RavenDB/ServerConfiguration.cs
@@ -22,6 +22,7 @@ public ServerConfiguration(string dbPath, string serverUrl, string logPath, stri
         public string ConnectionString { get; }
         public string ClientCertificatePath { get; internal set; }
         public string ClientCertificateBase64 { get; internal set; }
+        public string ClientCertificatePassword { get; internal set; }
         public bool UseEmbeddedServer { get; }
         public string DbPath { get; internal set; } //Setter for ATT only
         public string ServerUrl { get; }
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs b/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs
index 8f3a2624ac..bc6e294289 100644
--- a/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs
+++ b/src/ServiceControl.Persistence.RavenDB/RavenBootstrapper.cs
@@ -9,6 +9,7 @@ static class RavenBootstrapper
         public const string ConnectionStringKey = "RavenDB/ConnectionString";
         public const string ClientCertificatePathKey = "RavenDB/ClientCertificatePath";
         public const string ClientCertificateBase64Key = "RavenDB/ClientCertificateBase64";
+        public const string ClientCertificatePasswordKey = "RavenDB/ClientCertificatePassword";
         public const string MinimumStorageLeftRequiredForIngestionKey = "MinimumStorageLeftRequiredForIngestion";
         public const string DatabaseNameKey = "RavenDB/DatabaseName";
         public const string LogsPathKey = "LogPath";
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs b/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs
index 2cec289a08..f9f66aa6ca 100644
--- a/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs
+++ b/src/ServiceControl.Persistence.RavenDB/RavenPersistenceConfiguration.cs
@@ -36,6 +36,7 @@ static T GetRequiredSetting<T>(SettingsRootNamespace settingsRootNamespace, stri
                 ConnectionString = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ConnectionStringKey),
                 ClientCertificatePath = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificatePathKey),
                 ClientCertificateBase64 = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificateBase64Key),
+                ClientCertificatePassword = SettingsReader.Read<string>(settingsRootNamespace, RavenBootstrapper.ClientCertificatePasswordKey),
                 DatabaseName = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabaseNameKey, RavenPersisterSettings.DatabaseNameDefault),
                 DatabasePath = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabasePathKey, DefaultDatabaseLocation()),
                 DatabaseMaintenancePort = SettingsReader.Read(settingsRootNamespace, RavenBootstrapper.DatabaseMaintenancePortKey, RavenPersisterSettings.DatabaseMaintenancePortDefault),
diff --git a/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs b/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs
index bcd60dc21c..13ceb6b874 100644
--- a/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs
+++ b/src/ServiceControl.Persistence.RavenDB/RavenPersisterSettings.cs
@@ -26,6 +26,7 @@ class RavenPersisterSettings : PersistenceSettings, IRavenClientCertificateInfo
     public string ConnectionString { get; set; }
     public string ClientCertificatePath { get; set; }
     public string ClientCertificateBase64 { get; set; }
+    public string ClientCertificatePassword { get; set; }
     public bool UseEmbeddedServer => string.IsNullOrWhiteSpace(ConnectionString);
     public string LogPath { get; set; }
     public string LogsMode { get; set; } = LogsModeDefault;
diff --git a/src/ServiceControl.RavenDB/RavenClientCertificate.cs b/src/ServiceControl.RavenDB/RavenClientCertificate.cs
index 159b131b5b..41f142f39e 100644
--- a/src/ServiceControl.RavenDB/RavenClientCertificate.cs
+++ b/src/ServiceControl.RavenDB/RavenClientCertificate.cs
@@ -15,7 +15,7 @@ public static class RavenClientCertificate
             try
             {
                 var bytes = Convert.FromBase64String(certInfo.ClientCertificateBase64);
-                return new X509Certificate2(bytes);
+                return new X509Certificate2(bytes, certInfo.ClientCertificatePassword);
             }
             catch (Exception x) when (x is FormatException or CryptographicException)
             {
@@ -25,7 +25,7 @@ public static class RavenClientCertificate
 
         if (certInfo.ClientCertificatePath is not null)
         {
-            return new X509Certificate2(certInfo.ClientCertificatePath);
+            return new X509Certificate2(certInfo.ClientCertificatePath, certInfo.ClientCertificatePassword);
         }
 
         var applicationDirectory = Path.GetDirectoryName(Assembly.GetEntryAssembly()?.Location) ?? string.Empty;
@@ -33,7 +33,7 @@ public static class RavenClientCertificate
 
         if (File.Exists(certificatePath))
         {
-            return new X509Certificate2(certificatePath);
+            return new X509Certificate2(certificatePath, certInfo.ClientCertificatePassword);
         }
         return null;
     }
@@ -43,4 +43,5 @@ public interface IRavenClientCertificateInfo
 {
     string? ClientCertificatePath { get; }
     string? ClientCertificateBase64 { get; }
+    string? ClientCertificatePassword { get; }
 }
\ No newline at end of file