diff --git a/lib/srv/db/access_test.go b/lib/srv/db/access_test.go
index fd78715f63e0a..0e6d188470f70 100644
--- a/lib/srv/db/access_test.go
+++ b/lib/srv/db/access_test.go
@@ -1785,6 +1785,7 @@ func withSelfHostedPostgres(name string) withDatabaseOption {
 		postgresServer, err := postgres.NewTestServer(common.TestServerConfig{
 			Name:       name,
 			AuthClient: testCtx.authClient,
+			ClientAuth: tls.RequireAndVerifyClientCert,
 		})
 		require.NoError(t, err)
 		go postgresServer.Serve()
@@ -1939,6 +1940,7 @@ func withSelfHostedMySQL(name string) withDatabaseOption {
 		mysqlServer, err := mysql.NewTestServer(common.TestServerConfig{
 			Name:       name,
 			AuthClient: testCtx.authClient,
+			ClientAuth: tls.RequireAndVerifyClientCert,
 		})
 		require.NoError(t, err)
 		go mysqlServer.Serve()
@@ -2104,6 +2106,7 @@ func withSelfHostedMongo(name string, opts ...mongodb.TestServerOption) withData
 		mongoServer, err := mongodb.NewTestServer(common.TestServerConfig{
 			Name:       name,
 			AuthClient: testCtx.authClient,
+			ClientAuth: tls.RequireAndVerifyClientCert,
 		}, opts...)
 		require.NoError(t, err)
 		go mongoServer.Serve()
@@ -2129,6 +2132,7 @@ func withSelfHostedRedis(name string, opts ...redis.TestServerOption) withDataba
 		redisServer, err := redis.NewTestServer(t, common.TestServerConfig{
 			Name:       name,
 			AuthClient: testCtx.authClient,
+			ClientAuth: tls.RequireAndVerifyClientCert,
 		}, opts...)
 		require.NoError(t, err)
 
diff --git a/lib/srv/db/common/test.go b/lib/srv/db/common/test.go
index 5a992e7749d3e..b331f57aee460 100644
--- a/lib/srv/db/common/test.go
+++ b/lib/srv/db/common/test.go
@@ -46,7 +46,7 @@ type TestServerConfig struct {
 	AuthUser string
 	// AuthToken is used in tests simulating IAM token authentication.
 	AuthToken string
-	// CN allows to set specific CommonName in the database server certificate.
+	// CN allows setting specific CommonName in the database server certificate.
 	//
 	// Used when simulating test Cloud SQL database which should contains
 	// <project-id>:<instance-id> in its certificate.
@@ -54,6 +54,9 @@ type TestServerConfig struct {
 	// ListenTLS creates a TLS listener when true instead of using a net listener.
 	// This is used to simulate MySQL connections through the GCP Cloud SQL Proxy.
 	ListenTLS bool
+	// ClientAuth sets tls.ClientAuth in server's tls.Config. It can be used to force client
+	// certificate validation in tests.
+	ClientAuth tls.ClientAuthType
 }
 
 // MakeTestServerTLSConfig returns TLS config suitable for configuring test
@@ -94,6 +97,7 @@ func MakeTestServerTLSConfig(config TestServerConfig) (*tls.Config, error) {
 	}
 	return &tls.Config{
 		ClientCAs:    pool,
+		ClientAuth:   config.ClientAuth,
 		Certificates: []tls.Certificate{cert},
 	}, nil
 }