diff --git a/etcdmain/etcd.go b/etcdmain/etcd.go
index f04eb4f8a..e5d5bd5b8 100644
--- a/etcdmain/etcd.go
+++ b/etcdmain/etcd.go
@@ -314,9 +314,28 @@ func startProxy(cfg *config) error {
 	if cfg.isReadonlyProxy() {
 		ph = httpproxy.NewReadonlyHandler(ph)
 	}
+
+	// setup self signed certs when serving https
+	cHosts, cTLS := []string{}, false
+	for _, u := range cfg.LCUrls {
+		cHosts = append(cHosts, u.Host)
+		cTLS = cTLS || u.Scheme == "https"
+	}
+	for _, u := range cfg.ACUrls {
+		cHosts = append(cHosts, u.Host)
+		cTLS = cTLS || u.Scheme == "https"
+	}
+	listenerTLS := cfg.ClientTLSInfo
+	if cfg.ClientAutoTLS && cTLS {
+		listenerTLS, err = transport.SelfCert(filepath.Join(cfg.Dir, "clientCerts"), cHosts)
+		if err != nil {
+			plog.Fatalf("proxy: could not initialize self-signed client certs (%v)", err)
+		}
+	}
+
 	// Start a proxy server goroutine for each listen address
 	for _, u := range cfg.LCUrls {
-		l, err := transport.NewListener(u.Host, u.Scheme, &cfg.ClientTLSInfo)
+		l, err := transport.NewListener(u.Host, u.Scheme, &listenerTLS)
 		if err != nil {
 			return err
 		}