diff --git a/hack/tls-setup/Makefile b/hack/tls-setup/Makefile
new file mode 100644
index 000000000..8c718b1ee
--- /dev/null
+++ b/hack/tls-setup/Makefile
@@ -0,0 +1,40 @@
+.PHONY: cfssl ca req clean
+
+CFSSL	= @env PATH=$(GOPATH)/bin:$(PATH) cfssl
+JSON	= env PATH=$(GOPATH)/bin:$(PATH) cfssljson
+
+all: cfssl ca req
+
+cfssl:
+	go get -u -tags nopkcs11 github.com/cloudflare/cfssl/cmd/cfssl
+	go get -u github.com/cloudflare/cfssl/cmd/cfssljson
+
+ca:
+	mkdir -p certs
+	$(CFSSL) gencert -initca config/ca-csr.json | $(JSON) -bare certs/ca
+
+req:
+	$(CFSSL) gencert \
+	  -ca certs/ca.pem \
+	  -ca-key certs/ca-key.pem \
+	  -config config/ca-config.json \
+	  config/req-csr.json | $(JSON) -bare certs/etcd1
+	$(CFSSL) gencert \
+	  -ca certs/ca.pem \
+	  -ca-key certs/ca-key.pem \
+	  -config config/ca-config.json \
+	  config/req-csr.json | $(JSON) -bare certs/etcd2
+	$(CFSSL) gencert \
+	  -ca certs/ca.pem \
+	  -ca-key certs/ca-key.pem \
+	  -config config/ca-config.json \
+	  config/req-csr.json | $(JSON) -bare certs/etcd3
+	$(CFSSL) gencert \
+	  -ca certs/ca.pem \
+	  -ca-key certs/ca-key.pem \
+	  -config config/ca-config.json \
+	  config/req-csr.json | $(JSON) -bare certs/proxy1
+
+clean:
+	rm -rf certs
+
diff --git a/hack/tls-setup/Procfile b/hack/tls-setup/Procfile
new file mode 100644
index 000000000..bc5fc8598
--- /dev/null
+++ b/hack/tls-setup/Procfile
@@ -0,0 +1,9 @@
+# Use goreman to run `go get github.com/mattn/goreman`
+etcd1: ../../bin/etcd -name infra1 -listen-client-urls https://localhost:4001 -advertise-client-urls https://localhost:4001 -listen-peer-urls https://localhost:7001 -initial-advertise-peer-urls https://localhost:7001 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd1.pem --key-file=certs/etcd1-key.pem --peer-cert-file=certs/etcd1.pem --peer-key-file=certs/etcd1-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
+
+etcd2: ../../bin/etcd -name infra2 -listen-client-urls https://localhost:4002 -advertise-client-urls https://localhost:4002 -listen-peer-urls https://localhost:7002 -initial-advertise-peer-urls https://localhost:7002 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd2.pem --key-file=certs/etcd2-key.pem --peer-cert-file=certs/etcd2.pem --peer-key-file=certs/etcd2-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
+
+etcd3: ../../bin/etcd -name infra3 -listen-client-urls https://localhost:4003 -advertise-client-urls https://localhost:4003 -listen-peer-urls https://localhost:7003 -initial-advertise-peer-urls https://localhost:7003 -initial-cluster-token etcd-cluster-1 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' -initial-cluster-state new --cert-file=certs/etcd3.pem --key-file=certs/etcd3-key.pem --peer-cert-file=certs/etcd3.pem --peer-key-file=certs/etcd3-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
+
+proxy: ../../bin/etcd -name proxy1 -proxy=on -listen-client-urls https://localhost:8080 -initial-cluster 'infra1=https://localhost:7001,infra2=https://localhost:7002,infra3=https://localhost:7003' --cert-file=certs/proxy1.pem --key-file=certs/proxy1-key.pem --trusted-ca-file=certs/ca.pem --peer-cert-file=certs/proxy1.pem --peer-key-file=certs/proxy1-key.pem --peer-client-cert-auth --peer-trusted-ca-file=certs/ca.pem
+
diff --git a/hack/tls-setup/README.md b/hack/tls-setup/README.md
new file mode 100644
index 000000000..b5398435e
--- /dev/null
+++ b/hack/tls-setup/README.md
@@ -0,0 +1,9 @@
+This demonstrates using Cloudflare's [cfssl](https://github.com/cloudflare/cfssl) to easily generate certificates for an etcd cluster.
+
+Defaults generate an ECDSA-384 root and leaf certificates for `localhost`. etcd nodes will use the same certificates for both sides of mutual authentication, but won't require client certs for non-peer clients.
+
+**Instructions**
+
+1. Install git, go, and make
+2. Run `make` to generate the certs
+3. Run `goreman start`
diff --git a/hack/tls-setup/config/ca-config.json b/hack/tls-setup/config/ca-config.json
new file mode 100644
index 000000000..e492de1ae
--- /dev/null
+++ b/hack/tls-setup/config/ca-config.json
@@ -0,0 +1,13 @@
+{
+  "signing": {
+    "default": {
+        "usages": [
+          "signing",
+          "key encipherment",
+          "server auth",
+          "client auth"
+        ],
+        "expiry": "8760h"
+    }
+  }
+}
diff --git a/hack/tls-setup/config/ca-csr.json b/hack/tls-setup/config/ca-csr.json
new file mode 100644
index 000000000..4d7dd7530
--- /dev/null
+++ b/hack/tls-setup/config/ca-csr.json
@@ -0,0 +1,16 @@
+{
+  "CN": "Autogenerated CA",
+  "key": {
+    "algo": "ecdsa",
+    "size": 384
+  },
+  "names": [
+    {
+      "O": "Honest Achmed's Used Certificates",
+      "OU": "Hastily-Generated Values Divison",
+      "L": "San Francisco",
+      "ST": "California",
+      "C": "US"
+    }
+  ]
+}
diff --git a/hack/tls-setup/config/req-csr.json b/hack/tls-setup/config/req-csr.json
new file mode 100644
index 000000000..a91ffc902
--- /dev/null
+++ b/hack/tls-setup/config/req-csr.json
@@ -0,0 +1,17 @@
+{
+  "CN": "etcd",
+  "hosts": [
+    "localhost"
+  ],
+  "key": {
+    "algo": "ecdsa",
+    "size": 384
+  },
+  "names": [
+    {
+      "O": "autogenerated",
+      "OU": "etcd cluster",
+      "L": "the internet"
+    }
+  ]
+}