diff --git a/internal/connection/connection.go b/internal/connection/connection.go
index 8aebb8ad..d7a64615 100644
--- a/internal/connection/connection.go
+++ b/internal/connection/connection.go
@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/ydb-platform/ydb-go-sdk/v3"
@@ -13,8 +12,6 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	ydbv1alpha1 "github.com/ydb-platform/ydb-kubernetes-operator/api/v1alpha1"
 )
 
 func Open(ctx context.Context, endpoint string, opts ...ydb.Option) (*ydb.Driver, error) {
@@ -22,10 +19,6 @@ func Open(ctx context.Context, endpoint string, opts ...ydb.Option) (*ydb.Driver
 	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 
-	opts = append(
-		opts,
-		buildYDBTLSOption(endpoint),
-	)
 	db, err := ydb.Open(
 		ctx,
 		endpoint,
@@ -50,25 +43,13 @@ func Close(ctx context.Context, db *ydb.Driver) {
 	}
 }
 
-func buildYDBTLSOption(endpoint string) ydb.Option {
-	certPool, _ := x509.SystemCertPool()
-	// TODO(shmel1k@): figure out min allowed TLS version?
-	tlsConfig := &tls.Config{ //nolint
-		RootCAs: certPool,
-	}
-	if strings.HasPrefix(endpoint, ydbv1alpha1.GRPCSProto) {
-		return ydb.WithTLSConfig(tlsConfig)
-	}
-	return ydb.WithTLSSInsecureSkipVerify()
-}
-
-func BuildGRPCTLSOption(endpoint string) grpc.DialOption {
-	certPool, _ := x509.SystemCertPool()
-	// TODO(shmel1k@): figure out min allowed TLS version?
-	tlsConfig := &tls.Config{ //nolint
-		RootCAs: certPool,
-	}
-	if strings.HasPrefix(endpoint, ydbv1alpha1.GRPCSProto) {
+func LoadTLSCredentials(secure bool) grpc.DialOption {
+	if secure {
+		certPool, _ := x509.SystemCertPool()
+		tlsConfig := &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			RootCAs:    certPool,
+		}
 		return grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))
 	}
 	return grpc.WithTransportCredentials(insecure.NewCredentials())
diff --git a/internal/controllers/database/sync.go b/internal/controllers/database/sync.go
index 74ec3645..ec4299b8 100644
--- a/internal/controllers/database/sync.go
+++ b/internal/controllers/database/sync.go
@@ -70,16 +70,16 @@ func (r *Reconciler) Sync(ctx context.Context, ydbCr *v1alpha1.Database) (ctrl.R
 	if stop {
 		return result, err
 	}
-	auth, result, err := r.getYDBCredentials(ctx, &database)
-	if auth == nil {
-		return result, err
-	}
 
 	if !meta.IsStatusConditionTrue(database.Status.Conditions, TenantInitializedCondition) {
 		stop, result, err = r.setInitialStatus(ctx, &database)
 		if stop {
 			return result, err
 		}
+		auth, result, err := r.getYDBCredentials(ctx, &database)
+		if auth == nil {
+			return result, err
+		}
 		stop, result, err = r.handleTenantCreation(ctx, &database, auth)
 		if stop {
 			return result, err
@@ -529,8 +529,8 @@ func (r *Reconciler) getYDBCredentials(
 				}
 			}
 			endpoint := database.GetStorageEndpoint()
-			secureOpt := connection.BuildGRPCTLSOption(endpoint)
-			return ydbCredentials.NewStaticCredentials(username, password, endpoint, secureOpt), ctrl.Result{Requeue: false}, nil
+			secure := connection.LoadTLSCredentials(resources.IsGrpcSecure(database.Storage))
+			return ydbCredentials.NewStaticCredentials(username, password, endpoint, secure), ctrl.Result{Requeue: false}, nil
 		}
 	}
 	return ydbCredentials.NewAnonymousCredentials(), ctrl.Result{Requeue: false}, nil
diff --git a/internal/controllers/storage/init.go b/internal/controllers/storage/init.go
index f84912dc..ebf00dfb 100644
--- a/internal/controllers/storage/init.go
+++ b/internal/controllers/storage/init.go
@@ -114,14 +114,6 @@ func (r *Reconciler) initializeStorage(
 		fmt.Sprintf("%s/%s", v1alpha1.BinariesDir, v1alpha1.DaemonBinaryName),
 	}
 
-	if resources.IsGrpcSecure(storage.Storage) {
-		cmd = append(
-			cmd,
-			"-s",
-			storage.GetGRPCEndpointWithProto(),
-		)
-	}
-
 	if storage.Spec.OperatorConnection != nil {
 		ydbCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
 		defer cancel()
@@ -139,6 +131,14 @@ func (r *Reconciler) initializeStorage(
 		)
 	}
 
+	if resources.IsGrpcSecure(storage.Storage) {
+		cmd = append(
+			cmd,
+			"-s",
+			storage.GetGRPCEndpointWithProto(),
+		)
+	}
+
 	cmd = append(
 		cmd,
 		"admin", "blobstorage", "config", "init",
diff --git a/internal/controllers/storage/sync.go b/internal/controllers/storage/sync.go
index c686f186..aa997c9a 100644
--- a/internal/controllers/storage/sync.go
+++ b/internal/controllers/storage/sync.go
@@ -77,6 +77,10 @@ func (r *Reconciler) Sync(ctx context.Context, cr *ydbv1alpha1.Storage) (ctrl.Re
 		if stop {
 			return result, err
 		}
+		stop, result, err = r.runSelfCheck(ctx, &storage, auth, false)
+		if stop {
+			return result, err
+		}
 		stop, result, err = r.initializeStorage(ctx, &storage, auth)
 		if stop {
 			return result, err
@@ -321,8 +325,8 @@ func (r *Reconciler) getYDBCredentials(
 				}
 			}
 			endpoint := storage.GetGRPCEndpoint()
-			optSecure := connection.BuildGRPCTLSOption(endpoint)
-			return ydbCredentials.NewStaticCredentials(username, password, endpoint, optSecure), ctrl.Result{Requeue: false}, nil
+			secure := connection.LoadTLSCredentials(resources.IsGrpcSecure(storage.Storage))
+			return ydbCredentials.NewStaticCredentials(username, password, endpoint, secure), ctrl.Result{Requeue: false}, nil
 		}
 	}
 	return ydbCredentials.NewAnonymousCredentials(), ctrl.Result{Requeue: false}, nil