diff --git a/bin/pt-archiver b/bin/pt-archiver
index 287da5d4..278c49d1 100755
--- a/bin/pt-archiver
+++ b/bin/pt-archiver
@@ -8108,6 +8108,12 @@ until the replica is caught up, then proceeds to fetch and archive the row.
 
 This option may eliminate the need for L<"--sleep"> or L<"--sleep-coef">.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --no-ascend
 
 Do not use ascending index optimization.
diff --git a/bin/pt-config-diff b/bin/pt-config-diff
index d2aa26aa..78439d82 100755
--- a/bin/pt-config-diff
+++ b/bin/pt-config-diff
@@ -5791,6 +5791,12 @@ type: array
 
 Ignore, do not compare, these variables.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-deadlock-logger b/bin/pt-deadlock-logger
index 01b97b1e..f94d7a3a 100755
--- a/bin/pt-deadlock-logger
+++ b/bin/pt-deadlock-logger
@@ -5549,6 +5549,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --numeric-ip
 
 Express IP addresses as integers.
diff --git a/bin/pt-duplicate-key-checker b/bin/pt-duplicate-key-checker
index e686bbcd..c4b77c5c 100755
--- a/bin/pt-duplicate-key-checker
+++ b/bin/pt-duplicate-key-checker
@@ -5561,6 +5561,12 @@ type: string; default: fk
 
 Check for duplicate f=foreign keys, k=keys or fk=both.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-fk-error-logger b/bin/pt-fk-error-logger
index b87252b5..51082677 100755
--- a/bin/pt-fk-error-logger
+++ b/bin/pt-fk-error-logger
@@ -4546,6 +4546,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-heartbeat b/bin/pt-heartbeat
index 6575a9b7..89502d48 100755
--- a/bin/pt-heartbeat
+++ b/bin/pt-heartbeat
@@ -7322,6 +7322,12 @@ type: int
 If specified, pt-heartbeat will fail after given number of successive DBI errors
 (failure to connect to server or issue a query).
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-kill b/bin/pt-kill
index 26c030f0..a0d8fde3 100755
--- a/bin/pt-kill
+++ b/bin/pt-kill
@@ -8743,6 +8743,12 @@ This option makes pt-kill kill matching queries.  This requires MySQL 5.0 or
 newer.  Unlike L<"--kill"> which kills the connection for matching queries,
 this option only kills the query, not its connection.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --print
 
 group: Actions
diff --git a/bin/pt-online-schema-change b/bin/pt-online-schema-change
index 764e4869..b4836795 100755
--- a/bin/pt-online-schema-change
+++ b/bin/pt-online-schema-change
@@ -13383,6 +13383,12 @@ until queries are running normally again.  This will not prevent queueing,
 however; it will only give the server a chance to recover from the queueing.  If
 you notice queueing, it is best to decrease the chunk time.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --preserve-triggers
 
 Preserves old triggers when specified.
diff --git a/bin/pt-replica-find b/bin/pt-replica-find
index f61a1a39..a9f334b0 100755
--- a/bin/pt-replica-find
+++ b/bin/pt-replica-find
@@ -4444,6 +4444,12 @@ short form: -h; type: string
 
 Connect to host.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-replica-restart b/bin/pt-replica-restart
index 759bedaa..d9eb5ad3 100755
--- a/bin/pt-replica-restart
+++ b/bin/pt-replica-restart
@@ -6036,6 +6036,12 @@ See L<"SLEEP">.
 Whether to monitor the replica (default).  Unless you specify --monitor
 explicitly, L<"--stop"> will disable it.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-show-grants b/bin/pt-show-grants
index 5cd45247..664ab4f3 100755
--- a/bin/pt-show-grants
+++ b/bin/pt-show-grants
@@ -2471,6 +2471,12 @@ type: array
 
 Ignore this comma-separated list of users.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --only
 
 type: array
diff --git a/bin/pt-table-checksum b/bin/pt-table-checksum
index ea1779e7..15ee3e2e 100755
--- a/bin/pt-table-checksum
+++ b/bin/pt-table-checksum
@@ -13336,6 +13336,16 @@ This is useful in cases where you have trouble checksumming tables with keys tha
 include a binary data type or that have non-standard character sets.
 See L<"--replicate">.
 
+=item --charset
+
+short form: -A; type: string
+
+Default character set.  If the value is utf8, sets Perl's binmode on
+STDOUT to utf8, passes the mysql_enable_utf8 option to DBD::mysql, and
+runs SET NAMES UTF8 after connecting to MySQL.  Any other value sets
+binmode on STDOUT without the utf8 layer, and runs SET NAMES after
+connecting to MySQL.
+
 =item --check-interval
 
 type: time; default: 1; group: Throttle
@@ -13761,6 +13771,12 @@ wait until queries are running normally again.  This will not prevent queueing,
 however; it will only give the server a chance to recover from the queueing.  If
 you notice queueing, it is best to decrease the chunk time.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string; group: Connection
diff --git a/bin/pt-table-sync b/bin/pt-table-sync
index 573f968b..e214f769 100755
--- a/bin/pt-table-sync
+++ b/bin/pt-table-sync
@@ -12909,6 +12909,12 @@ dump and reload or even something like L<pt-archiver>).  It requires exactly two
 DSNs and assumes they are on the same server, so it does no waiting for
 replication or the like.  Tables are locked with LOCK TABLES.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-table-usage b/bin/pt-table-usage
index 92538414..c6c69aeb 100755
--- a/bin/pt-table-usage
+++ b/bin/pt-table-usage
@@ -8372,6 +8372,12 @@ type: string
 
 Print all output to this file when daemonized.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-upgrade b/bin/pt-upgrade
index b9e010ae..ef37b79f 100755
--- a/bin/pt-upgrade
+++ b/bin/pt-upgrade
@@ -11198,6 +11198,12 @@ Max number of examples to list for each L<"QUERY DIFFERENCES">.  A query
 class is reported as soon as this many examples for any type of query
 difference are found.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/bin/pt-variable-advisor b/bin/pt-variable-advisor
index 319428e6..6fa2b8e5 100755
--- a/bin/pt-variable-advisor
+++ b/bin/pt-variable-advisor
@@ -6154,6 +6154,12 @@ Ignore these rule IDs.
 Specify a comma-separated list of rule IDs (e.g. LIT.001,RES.002,etc.)
 to ignore.
 
+=item --mysql_ssl
+
+short form: -s; type: int
+
+Create SSL MySQL connection.
+
 =item --password
 
 short form: -p; type: string
diff --git a/t/pt-replica-find/ssl.t b/t/pt-replica-find/ssl.t
new file mode 100644
index 00000000..dc6492ff
--- /dev/null
+++ b/t/pt-replica-find/ssl.t
@@ -0,0 +1,126 @@
+#!/usr/bin/env perl
+
+BEGIN {
+   die "The PERCONA_TOOLKIT_BRANCH environment variable is not set.\n"
+      unless $ENV{PERCONA_TOOLKIT_BRANCH} && -d $ENV{PERCONA_TOOLKIT_BRANCH};
+   unshift @INC, "$ENV{PERCONA_TOOLKIT_BRANCH}/lib";
+};
+
+use strict;
+use warnings FATAL => 'all';
+use English qw(-no_match_vars);
+use Test::More;
+
+use PerconaTest;
+use Sandbox;
+require "$trunk/bin/pt-replica-find";
+
+if ( $sandbox_version lt '8.0' ) {
+   plan skip_all => "Requires MySQL 8.0 or newer";
+}
+
+my $dp = new DSNParser(opts=>$dsn_opts);
+my $sb = new Sandbox(basedir => '/tmp', DSNParser => $dp);
+my $source_dbh = $sb->get_dbh_for('source');
+my $replica1_dbh = $sb->get_dbh_for('replica1');
+my $replica2_dbh = $sb->get_dbh_for('replica2');
+my $output;
+
+# This test is sensitive to ghost/old replicas created/destroyed by other
+# tests.  So we stop the replicas, restart the source, and start everything
+# again.  Hopefully this will return the env to its original state.
+$replica2_dbh->do("STOP ${replica_name}");
+$replica1_dbh->do("STOP ${replica_name}");
+diag(`/tmp/12345/stop >/dev/null`);
+diag(`/tmp/12345/start >/dev/null`);
+$replica1_dbh->do("START ${replica_name}");
+$replica2_dbh->do("START ${replica_name}");
+
+if ( !$source_dbh ) {
+   plan skip_all => 'Cannot connect to sandbox source';
+}
+elsif ( !$replica1_dbh ) {
+   plan skip_all => 'Cannot connect to sandbox replica';
+}
+elsif ( !$replica2_dbh ) {
+   plan skip_all => 'Cannot connect to second sandbox replica';
+}
+
+$sb->do_as_root(
+   'source',
+   q/CREATE USER IF NOT EXISTS sha256_user@'%' IDENTIFIED WITH caching_sha2_password BY 'sha256_user%password' REQUIRE SSL/,
+   q/GRANT REPLICATION SLAVE, PROCESS ON *.* TO sha256_user@'%'/,
+);
+
+# Start an instance
+$output = `$trunk/bin/pt-replica-find h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=0 --report-format hostname 2>&1`;
+
+isnt(
+   $?,
+   0,
+   "Error raised when SSL connection is not used"
+) or diag($output);
+
+like(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'Secure connection error raised when no SSL connection used'
+) or diag($output);
+
+$output = `$trunk/bin/pt-replica-find h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname 2>&1`;
+
+is(
+   $?,
+   0,
+   "No error for user, identified with caching_sha2_password"
+) or diag($output);
+
+unlike(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'No secure connection error'
+) or diag($output);
+
+my $expected = <<EOF;
+127.1:12345
++- 127.0.0.1:12346
+   +- 127.0.0.1:12347
+EOF
+
+is($output, $expected, 'Source with replica and replica of replica');
+
+$output = `$trunk/bin/pt-replica-find F=t/pt-archiver/samples/pt-191.cnf,h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname  --recurse 0 2>&1`;
+
+is(
+   $?,
+   0,
+   "No error for SSL options in the configuration file"
+) or diag($output);
+
+unlike(
+   $output,
+   qr/Authentication plugin 'caching_sha2_password' reported error: Authentication requires secure connection./,
+   'No secure connection error with correct SSL options in the configuration file'
+) or diag($output);
+
+$output = `$trunk/bin/pt-replica-find F=t/pt-archiver/samples/pt-191-error.cnf,h=127.1,P=12345,u=sha256_user,p=sha256_user%password,s=1 --report-format hostname  --recurse 0 2>&1`;
+
+isnt(
+   $?,
+   0,
+   "Error for invalid SSL options in the configuration file"
+) or diag($output);
+
+like(
+   $output,
+   qr/SSL connection error: Unable to get private key at/,
+   'SSL connection error with incorrect SSL options in the configuration file'
+) or diag($output);
+
+# #############################################################################
+# Done.
+# #############################################################################
+$sb->do_as_root('source', q/DROP USER 'sha256_user'@'%'/);
+
+ok($sb->ok(), "Sandbox servers") or BAIL_OUT(__FILE__ . " broke the sandbox");
+done_testing;