diff --git a/cmd/helm/get.go b/cmd/helm/get.go
index fc5871f46f10a6a19c8ca9f46826382318ae6b92..477f730d5588cc0e9509c236da2f9437584ca604 100644
--- a/cmd/helm/get.go
+++ b/cmd/helm/get.go
@@ -64,7 +64,7 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
 			}
 			get.release = args[0]
 			if get.client == nil {
-				get.client = helm.NewClient(helm.Host(settings.TillerHost))
+				get.client = newClient()
 			}
 			return get.run()
 		},
@@ -72,9 +72,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
 
 	cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision")
 
-	cmd.AddCommand(newGetValuesCmd(nil, out))
-	cmd.AddCommand(newGetManifestCmd(nil, out))
-	cmd.AddCommand(newGetHooksCmd(nil, out))
+	cmd.AddCommand(addFlagsTLS(newGetValuesCmd(nil, out)))
+	cmd.AddCommand(addFlagsTLS(newGetManifestCmd(nil, out)))
+	cmd.AddCommand(addFlagsTLS(newGetHooksCmd(nil, out)))
 
 	return cmd
 }
diff --git a/cmd/helm/helm.go b/cmd/helm/helm.go
index 9bc98792ea2fb88438d6577d98147a8aef6a7629..bbe787738c3b9be6f058bfeca6b4dbc43e40adb2 100644
--- a/cmd/helm/helm.go
+++ b/cmd/helm/helm.go
@@ -45,6 +45,10 @@ var (
 	tlsVerify     bool   // enable TLS and verify remote certificates
 	tlsEnable     bool   // enable TLS
 
+	tlsCaCertDefault = "$HELM_HOME/ca.pem"
+	tlsCertDefault   = "$HELM_HOME/cert.pem"
+	tlsKeyDefault    = "$HELM_HOME/key.pem"
+
 	tillerTunnel *kube.Tunnel
 	settings     helm_env.EnvSettings
 )
@@ -263,6 +267,16 @@ func newClient() helm.Interface {
 	options := []helm.Option{helm.Host(settings.TillerHost)}
 
 	if tlsVerify || tlsEnable {
+		if tlsCaCertFile == "" {
+			tlsCaCertFile = os.ExpandEnv(tlsCaCertDefault)
+		}
+		if tlsCertFile == "" {
+			tlsCertFile = os.ExpandEnv(tlsCertDefault)
+		}
+		if tlsKeyFile == "" {
+			tlsKeyFile = os.ExpandEnv(tlsKeyDefault)
+		}
+		debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
 		tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
 		if tlsVerify {
 			tlsopts.CaCertFile = tlsCaCertFile
@@ -281,12 +295,6 @@ func newClient() helm.Interface {
 // addFlagsTLS adds the flags for supporting client side TLS to the
 // helm command (only those that invoke communicate to Tiller.)
 func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
-	// defaults
-	var (
-		tlsCaCertDefault = "$HELM_HOME/ca.pem"
-		tlsCertDefault   = "$HELM_HOME/cert.pem"
-		tlsKeyDefault    = "$HELM_HOME/key.pem"
-	)
 
 	// add flags
 	cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
diff --git a/cmd/helm/history.go b/cmd/helm/history.go
index 08f1656f58b7b81363be7fcc40dbc85d09894222..27c47ad3e0d9046cc42f8120fb0ad1416ffc3212 100644
--- a/cmd/helm/history.go
+++ b/cmd/helm/history.go
@@ -66,7 +66,7 @@ func newHistoryCmd(c helm.Interface, w io.Writer) *cobra.Command {
 			case len(args) == 0:
 				return errReleaseRequired
 			case his.helmc == nil:
-				his.helmc = helm.NewClient(helm.Host(settings.TillerHost))
+				his.helmc = newClient()
 			}
 			his.rls = args[0]
 			return his.run()
diff --git a/cmd/helm/list.go b/cmd/helm/list.go
index f6cdaacfe199ea8b3d1235d553f557a5c1ae2318..7c312a365aaecd3ca4c696f6d3fac5b1430ef154 100644
--- a/cmd/helm/list.go
+++ b/cmd/helm/list.go
@@ -93,7 +93,7 @@ func newListCmd(client helm.Interface, out io.Writer) *cobra.Command {
 				list.filter = strings.Join(args, " ")
 			}
 			if list.client == nil {
-				list.client = helm.NewClient(helm.Host(settings.TillerHost))
+				list.client = newClient()
 			}
 			return list.run()
 		},
diff --git a/cmd/helm/status.go b/cmd/helm/status.go
index 36269c4b1f58fafcac7ca459f3dc045377ece291..e5e9aa44cc66aa0ca9f9154144c3534fc482a042 100644
--- a/cmd/helm/status.go
+++ b/cmd/helm/status.go
@@ -67,7 +67,7 @@ func newStatusCmd(client helm.Interface, out io.Writer) *cobra.Command {
 			}
 			status.release = args[0]
 			if status.client == nil {
-				status.client = helm.NewClient(helm.Host(settings.TillerHost))
+				status.client = newClient()
 			}
 			return status.run()
 		},
diff --git a/cmd/tiller/tiller.go b/cmd/tiller/tiller.go
index f18ce6c3d49fb2b0fb78dfaadaea19f2b06cc6c1..be0b8b256743882340547a202d1df8085da182e3 100644
--- a/cmd/tiller/tiller.go
+++ b/cmd/tiller/tiller.go
@@ -225,7 +225,11 @@ func tlsOptions() tlsutil.Options {
 	opts := tlsutil.Options{CertFile: *certFile, KeyFile: *keyFile}
 	if *tlsVerify {
 		opts.CaCertFile = *caCertFile
-		opts.ClientAuth = tls.VerifyClientCertIfGiven
+
+		// We want to force the client to not only provide a cert, but to
+		// provide a cert that we can validate.
+		// http://www.bite-code.com/2015/06/25/tls-mutual-auth-in-golang/
+		opts.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 	return opts
 }
diff --git a/docs/helm/helm.md b/docs/helm/helm.md
index 793a595d874f9aba2d6b4dab3503029036244e0d..2ef24e759bfa38f727a88932f2c4fc753bf518bf 100644
--- a/docs/helm/helm.md
+++ b/docs/helm/helm.md
@@ -67,4 +67,4 @@ Environment:
 * [helm verify](helm_verify.md)	 - verify that a chart at the given path has been signed and is valid
 * [helm version](helm_version.md)	 - print the client/server version information
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_completion.md b/docs/helm/helm_completion.md
index 619c1d462fa8ebc3dd7b3b7350211694b4a11f54..a9b9f39cee036532b6d08b5bbfc6df714876f899 100644
--- a/docs/helm/helm_completion.md
+++ b/docs/helm/helm_completion.md
@@ -34,4 +34,4 @@ helm completion SHELL
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_create.md b/docs/helm/helm_create.md
index b4e2fab45a10d963b0101449bb0043bdcd5a1052..c7344f05b31fb1b158b90befdf201e768674751c 100644
--- a/docs/helm/helm_create.md
+++ b/docs/helm/helm_create.md
@@ -53,4 +53,4 @@ helm create NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_delete.md b/docs/helm/helm_delete.md
index a1c35d0dc7d6817785473dbee7ae6719e1e4752a..df7b736c27b36e8b79a4f956f53fcf7e3a8d0984 100644
--- a/docs/helm/helm_delete.md
+++ b/docs/helm/helm_delete.md
@@ -44,4 +44,4 @@ helm delete [flags] RELEASE_NAME [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_dependency.md b/docs/helm/helm_dependency.md
index 540c49945cf51e0b3197e3d0473a949c1e9ff734..83ced6c9b38124b5c031e54a655a735cc90c229c 100644
--- a/docs/helm/helm_dependency.md
+++ b/docs/helm/helm_dependency.md
@@ -70,4 +70,4 @@ for this case.
 * [helm dependency list](helm_dependency_list.md)	 - list the dependencies for the given chart
 * [helm dependency update](helm_dependency_update.md)	 - update charts/ based on the contents of requirements.yaml
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_dependency_build.md b/docs/helm/helm_dependency_build.md
index 104eb419201c50cdac0a2c6c209d6f717775265c..37936e54306ae704078e9261d57ed6b8b8bc8b46 100644
--- a/docs/helm/helm_dependency_build.md
+++ b/docs/helm/helm_dependency_build.md
@@ -40,4 +40,4 @@ helm dependency build [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_dependency_list.md b/docs/helm/helm_dependency_list.md
index 245079df5cad67498e61faeacfb8554a982d087b..af2529883997da4d5b5fca0f189d8e9e68a24132 100644
--- a/docs/helm/helm_dependency_list.md
+++ b/docs/helm/helm_dependency_list.md
@@ -32,4 +32,4 @@ helm dependency list [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_dependency_update.md b/docs/helm/helm_dependency_update.md
index 61dde54253888b5a2bffea8cd389e7c4949f4d40..2557e21e4e4567920a289f79649b3c7650e5dd07 100644
--- a/docs/helm/helm_dependency_update.md
+++ b/docs/helm/helm_dependency_update.md
@@ -45,4 +45,4 @@ helm dependency update [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_fetch.md b/docs/helm/helm_fetch.md
index 34951891b4215601ec812d1fbfa761e2204526df..a622359745fbcf3a480405d09a8351c42683e4bf 100644
--- a/docs/helm/helm_fetch.md
+++ b/docs/helm/helm_fetch.md
@@ -54,4 +54,4 @@ helm fetch [flags] [chart URL | repo/chartname] [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_get.md b/docs/helm/helm_get.md
index 73e020d9fd8269d573deea3c8b64916a833bc1c2..1a9cfb2541c817c8199b1317d63d5f9f07a9b0f7 100644
--- a/docs/helm/helm_get.md
+++ b/docs/helm/helm_get.md
@@ -49,4 +49,4 @@ helm get [flags] RELEASE_NAME
 * [helm get manifest](helm_get_manifest.md)	 - download the manifest for a named release
 * [helm get values](helm_get_values.md)	 - download the values file for a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_get_hooks.md b/docs/helm/helm_get_hooks.md
index 11eae02484a4d90e7d5b7cdead35b28788412031..e573f0fbe973f4f4fa0d712c6f18bc1df6ca1ff4 100644
--- a/docs/helm/helm_get_hooks.md
+++ b/docs/helm/helm_get_hooks.md
@@ -18,7 +18,12 @@ helm get hooks [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32   get the named release with revision
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -34,4 +39,4 @@ helm get hooks [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_get_manifest.md b/docs/helm/helm_get_manifest.md
index d470772b31a8cf90334eee676155987ffe364d56..53788c89873de612c206133648706becd673c811 100644
--- a/docs/helm/helm_get_manifest.md
+++ b/docs/helm/helm_get_manifest.md
@@ -20,7 +20,12 @@ helm get manifest [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32   get the named release with revision
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -36,4 +41,4 @@ helm get manifest [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_get_values.md b/docs/helm/helm_get_values.md
index 9e7e183e56afe40262bc299625690975f8187620..5bcfaf5b8c1891493212f68c26031942638a3c3d 100644
--- a/docs/helm/helm_get_values.md
+++ b/docs/helm/helm_get_values.md
@@ -16,8 +16,13 @@ helm get values [flags] RELEASE_NAME
 ### Options
 
 ```
-  -a, --all              dump all (computed) values
-      --revision int32   get the named release with revision
+  -a, --all                  dump all (computed) values
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -33,4 +38,4 @@ helm get values [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_history.md b/docs/helm/helm_history.md
index c2a3f6b69eecfa4fb25e7455ebff836578520616..786889256f8fbe8baac2bfa4063ff19f0fc9ce9d 100644
--- a/docs/helm/helm_history.md
+++ b/docs/helm/helm_history.md
@@ -49,4 +49,4 @@ helm history [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_home.md b/docs/helm/helm_home.md
index 4077fd799c298e844645fdc3956775d7d196355a..ca369b41c433b643df331c36df46044c6d4ed002 100644
--- a/docs/helm/helm_home.md
+++ b/docs/helm/helm_home.md
@@ -27,4 +27,4 @@ helm home
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_init.md b/docs/helm/helm_init.md
index 90653287adb169f3b6eac4cea6aa308120f8089a..4f722d7a25b3332715f5bac0fd703637afb7e439 100644
--- a/docs/helm/helm_init.md
+++ b/docs/helm/helm_init.md
@@ -67,4 +67,4 @@ helm init
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_inspect.md b/docs/helm/helm_inspect.md
index 2a0bab61982e85f2d68770a2f296e8a4b10293df..52b49f1a3966fdef31b5f1a7047dc3cf01687017 100644
--- a/docs/helm/helm_inspect.md
+++ b/docs/helm/helm_inspect.md
@@ -43,4 +43,4 @@ helm inspect [CHART]
 * [helm inspect chart](helm_inspect_chart.md)	 - shows inspect chart
 * [helm inspect values](helm_inspect_values.md)	 - shows inspect values
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_inspect_chart.md b/docs/helm/helm_inspect_chart.md
index 75b4b16299dd00f8b2c8605a05a34038b1b30b33..b82c08fc99c2c9e04aeccc3ef3730144f99f7e63 100644
--- a/docs/helm/helm_inspect_chart.md
+++ b/docs/helm/helm_inspect_chart.md
@@ -39,4 +39,4 @@ helm inspect chart [CHART]
 ### SEE ALSO
 * [helm inspect](helm_inspect.md)	 - inspect a chart
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_inspect_values.md b/docs/helm/helm_inspect_values.md
index 3c243de37a9b91a7f3994e80392d5727d4ea72a2..9bc61866989d1b64333d36d94ae81a8ec316f490 100644
--- a/docs/helm/helm_inspect_values.md
+++ b/docs/helm/helm_inspect_values.md
@@ -39,4 +39,4 @@ helm inspect values [CHART]
 ### SEE ALSO
 * [helm inspect](helm_inspect.md)	 - inspect a chart
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_install.md b/docs/helm/helm_install.md
index 4f79c76f7b70542979aae3fd02036a940ffb5b75..b4484b760b4ba23ced0d7982ea30212354b4d479 100644
--- a/docs/helm/helm_install.md
+++ b/docs/helm/helm_install.md
@@ -106,4 +106,4 @@ helm install [CHART]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_lint.md b/docs/helm/helm_lint.md
index ef60cbd8426fb0aa0156c3aaf77662ea794069f9..871a7dbb2fa8618700873609128be1f4c0d80831 100644
--- a/docs/helm/helm_lint.md
+++ b/docs/helm/helm_lint.md
@@ -37,4 +37,4 @@ helm lint [flags] PATH
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_list.md b/docs/helm/helm_list.md
index de9b52beaa2460cf65d70c40a99151e0afb91794..72ebfde8fb7bf667ef33def2dc9eb92cd2588071 100644
--- a/docs/helm/helm_list.md
+++ b/docs/helm/helm_list.md
@@ -71,4 +71,4 @@ helm list [flags] [FILTER]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_package.md b/docs/helm/helm_package.md
index 46692ebdaa8e30ba6871d3529930d6c6abb13447..dad079ea70bafa54dd8dc27560725edd8176402c 100644
--- a/docs/helm/helm_package.md
+++ b/docs/helm/helm_package.md
@@ -45,4 +45,4 @@ helm package [flags] [CHART_PATH] [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_plugin.md b/docs/helm/helm_plugin.md
index 12240f347bef13b75ddc445946c35a0d2d762816..789347ae8f925fdd11289b6d572cf770feff8364 100644
--- a/docs/helm/helm_plugin.md
+++ b/docs/helm/helm_plugin.md
@@ -26,4 +26,4 @@ Manage client-side Helm plugins.
 * [helm plugin remove](helm_plugin_remove.md)	 - remove one or more Helm plugins
 * [helm plugin update](helm_plugin_update.md)	 - update one or more Helm plugins
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_plugin_install.md b/docs/helm/helm_plugin_install.md
index 3b0e596944a12fe5ba2a92a487e565dc6c117346..df963ab7aa6ddc460f220f1e864fa45f7e29605a 100644
--- a/docs/helm/helm_plugin_install.md
+++ b/docs/helm/helm_plugin_install.md
@@ -30,4 +30,4 @@ helm plugin install [options] <path|url>...
 ### SEE ALSO
 * [helm plugin](helm_plugin.md)	 - add, list, or remove Helm plugins
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_plugin_list.md b/docs/helm/helm_plugin_list.md
index 3a3160809d342fc99396fa731d277a7d994390d3..b0ade487e3b964a7c3d4c5f4400c959b1d63800f 100644
--- a/docs/helm/helm_plugin_list.md
+++ b/docs/helm/helm_plugin_list.md
@@ -24,4 +24,4 @@ helm plugin list
 ### SEE ALSO
 * [helm plugin](helm_plugin.md)	 - add, list, or remove Helm plugins
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_plugin_remove.md b/docs/helm/helm_plugin_remove.md
index e4d5922336268268baf17877124e7ebb2ee78608..0b9c4e15e87df7c22db0767720febe26b1d886d8 100644
--- a/docs/helm/helm_plugin_remove.md
+++ b/docs/helm/helm_plugin_remove.md
@@ -24,4 +24,4 @@ helm plugin remove <plugin>...
 ### SEE ALSO
 * [helm plugin](helm_plugin.md)	 - add, list, or remove Helm plugins
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_plugin_update.md b/docs/helm/helm_plugin_update.md
index 2085e45c2ee2257da0f696821a05b7e72b04839a..d8666d0a193de335e4be542873ff19342b37a907 100644
--- a/docs/helm/helm_plugin_update.md
+++ b/docs/helm/helm_plugin_update.md
@@ -24,4 +24,4 @@ helm plugin update <plugin>...
 ### SEE ALSO
 * [helm plugin](helm_plugin.md)	 - add, list, or remove Helm plugins
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo.md b/docs/helm/helm_repo.md
index 8183118a601d722219b975a3e307d160da571889..d2a052cfe97d69beeb42a8dff3c43d1ac9c1dd42 100644
--- a/docs/helm/helm_repo.md
+++ b/docs/helm/helm_repo.md
@@ -31,4 +31,4 @@ Example usage:
 * [helm repo remove](helm_repo_remove.md)	 - remove a chart repository
 * [helm repo update](helm_repo_update.md)	 - update information of available charts locally from chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo_add.md b/docs/helm/helm_repo_add.md
index 813960312104e8108ec6df6d28416ca42ba24935..1539dc10cf6f40cc25258b6012d8394e1b53687a 100644
--- a/docs/helm/helm_repo_add.md
+++ b/docs/helm/helm_repo_add.md
@@ -33,4 +33,4 @@ helm repo add [flags] [NAME] [URL]
 ### SEE ALSO
 * [helm repo](helm_repo.md)	 - add, list, remove, update, and index chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo_index.md b/docs/helm/helm_repo_index.md
index 3c820d32786eff3da22f8f5219f11b423388a443..9722e70666c255167f507fc6fb3ce3f082afd499 100644
--- a/docs/helm/helm_repo_index.md
+++ b/docs/helm/helm_repo_index.md
@@ -40,4 +40,4 @@ helm repo index [flags] [DIR]
 ### SEE ALSO
 * [helm repo](helm_repo.md)	 - add, list, remove, update, and index chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo_list.md b/docs/helm/helm_repo_list.md
index b36bc78a44714335f81dfe8f62efea7055b452b9..6ab7a1b9f59adea36054ab7ca453b824f24f5508 100644
--- a/docs/helm/helm_repo_list.md
+++ b/docs/helm/helm_repo_list.md
@@ -24,4 +24,4 @@ helm repo list [flags]
 ### SEE ALSO
 * [helm repo](helm_repo.md)	 - add, list, remove, update, and index chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo_remove.md b/docs/helm/helm_repo_remove.md
index 2c7747998645e1d953a27763a3ac01d8feaae4ca..9239d4828af1723f23139cacbdd248f29b7c9222 100644
--- a/docs/helm/helm_repo_remove.md
+++ b/docs/helm/helm_repo_remove.md
@@ -24,4 +24,4 @@ helm repo remove [flags] [NAME]
 ### SEE ALSO
 * [helm repo](helm_repo.md)	 - add, list, remove, update, and index chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_repo_update.md b/docs/helm/helm_repo_update.md
index 617c4a80268bc47f25d261711dca26ab9d6dc2c1..8be1718fd9221e2dc808ae98c728aa0f893d7bdb 100644
--- a/docs/helm/helm_repo_update.md
+++ b/docs/helm/helm_repo_update.md
@@ -30,4 +30,4 @@ helm repo update
 ### SEE ALSO
 * [helm repo](helm_repo.md)	 - add, list, remove, update, and index chart repositories
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_reset.md b/docs/helm/helm_reset.md
index 0a67e91185c646515e8402837dad682bb37803a1..4542c9967e213a3641e1fbb8ddfc2561e52f36c9 100644
--- a/docs/helm/helm_reset.md
+++ b/docs/helm/helm_reset.md
@@ -40,4 +40,4 @@ helm reset
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_rollback.md b/docs/helm/helm_rollback.md
index 781ab92ad1172a29b26bf0630ebeac7cc30b202a..335c079c3b7127a2518a2f51e7534bec9c88265c 100644
--- a/docs/helm/helm_rollback.md
+++ b/docs/helm/helm_rollback.md
@@ -46,4 +46,4 @@ helm rollback [flags] [RELEASE] [REVISION]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_search.md b/docs/helm/helm_search.md
index d488856289617d7c7d05453b4498ae9b9132516e..e300efb81b54003d09ab361dae6b3db6135fd021 100644
--- a/docs/helm/helm_search.md
+++ b/docs/helm/helm_search.md
@@ -37,4 +37,4 @@ helm search [keyword]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_serve.md b/docs/helm/helm_serve.md
index 37780369dee3262f91c82cb69e9ecac4461b4746..3a9dd236e49ab52f1d593f9bbc183d84fe3eec04 100644
--- a/docs/helm/helm_serve.md
+++ b/docs/helm/helm_serve.md
@@ -45,4 +45,4 @@ helm serve
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_status.md b/docs/helm/helm_status.md
index bc0285bfa328745f6c6f344a8c03dd215ac221c0..7d8093b867537dd298106039799bde37c39c6fda 100644
--- a/docs/helm/helm_status.md
+++ b/docs/helm/helm_status.md
@@ -44,4 +44,4 @@ helm status [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_template.md b/docs/helm/helm_template.md
index 839a946922eb85359433c9721f80c56e6ba33e59..d31f46b1d50388e73b72c0222dcf3da4f8ead2ef 100644
--- a/docs/helm/helm_template.md
+++ b/docs/helm/helm_template.md
@@ -48,4 +48,4 @@ helm template [flags] CHART
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_test.md b/docs/helm/helm_test.md
index 646bdf76ea37acf5a0a67fb3fe4247f27fc80bd9..51c3897d4ee15b1edfd94fbf202a2d614797171d 100644
--- a/docs/helm/helm_test.md
+++ b/docs/helm/helm_test.md
@@ -41,4 +41,4 @@ helm test [RELEASE]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_upgrade.md b/docs/helm/helm_upgrade.md
index e96cb8bfe749b464574f7d460f58ed69d7f5b3ba..475b3c8045b00482027eed238bfc4a1ba4987e21 100644
--- a/docs/helm/helm_upgrade.md
+++ b/docs/helm/helm_upgrade.md
@@ -76,4 +76,4 @@ helm upgrade [RELEASE] [CHART]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_verify.md b/docs/helm/helm_verify.md
index 4f14de2c89a5de7576e1b451c1c77d28ade75b82..6a2028e776889f7bcc69808717fc7ca37e1b376a 100644
--- a/docs/helm/helm_verify.md
+++ b/docs/helm/helm_verify.md
@@ -39,4 +39,4 @@ helm verify [flags] PATH
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/helm/helm_version.md b/docs/helm/helm_version.md
index 103377809749d97995fc691176b2abe39b0d3fcf..4da154b61e8212cc3988ee7a1cd778bf1966fed4 100644
--- a/docs/helm/helm_version.md
+++ b/docs/helm/helm_version.md
@@ -53,4 +53,4 @@ helm version
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017
diff --git a/docs/index.md b/docs/index.md
index b787463a634c19ad4347fff55609ecad087588e5..a8e4ac483be9ff69054afdad941137218c920629 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -6,6 +6,8 @@
   - [Frequently Asked Questions](install_faq.md)
 - [Using Helm](using_helm.md) - Learn the Helm tools
   - [Plugins](plugins.md)
+  - [Service Accounts for Tiller](service_accounts.md) - Apply RBACs to Tiller
+  - [TLS/SSL for Helm and Tiller](tiller_ssl.md) - Use Helm-to-Tiller encryption
 - [Developing Charts](charts.md) - An introduction to chart development
 	- [Chart Lifecycle Hooks](charts_hooks.md)
 	- [Chart Tips and Tricks](charts_tips_and_tricks.md)
diff --git a/docs/tiller_ssl.md b/docs/tiller_ssl.md
new file mode 100644
index 0000000000000000000000000000000000000000..59d653e26e685e5473b5f022cdef9c7dec7b27df
--- /dev/null
+++ b/docs/tiller_ssl.md
@@ -0,0 +1,291 @@
+# Using SSL Between Helm and Tiller
+
+This document explains how to create strong SSL/TLS connections between Helm and
+Tiller. The emphasis here is on creating an internal CA, and using both the
+cryptographic and identity functions of SSL.
+
+> Support for TLS-based auth was introduced in Helm 2.3.0
+
+Configuring SSL is considered an advanced topic, and knowledge of Helm and Tiller
+is assumed.
+
+## Overview
+
+The Tiller authentication model uses client-side SSL certificates. Tiller itself
+verifies these certificates using a certificate authority. Likewise, the client
+also verifies Tiller's identity by certificate authority.
+
+There are numerous possible configurations for setting up certificates and authorities,
+but the method we cover here will work for most situations.
+
+> As of Helm 2.7.2, Tiller _requires_ that the client certificate be validated
+> by its CA. In prior versions, Tiller used a weaker validation strategy that
+> allowed self-signed certificates.
+
+In this guide, we will show how to:
+
+- Create a private CA that is used to issue certificates for Tiller clients and
+  servers.
+- Create a certificate for Tiller
+- Create a certificate for the Helm client
+- Create a Tiller instance that uses the certificate
+- Configure the Helm client to use the CA and client-side certificate
+
+By the end of this guide, you should have a Tiller instance running that will
+only accept connections from clients who can be authenticated by SSL certificate.
+
+## Generating Certificate Authorities and Certificates
+
+One way to generate SSL CAs is via the `openssl` command line tool. There are many
+guides and best practices documents available online. This explanation is focused
+on getting ready within a small amount of time. For production configurations,
+we urge readers to read [the official documentation](https://www.openssl.org) and
+consult other resources.
+
+### Generate a Certificate Authority
+
+The simplest way to generate a certificate authority is to run two commands:
+
+```console
+$ openssl genrsa -out ./ca.key.pem 4096
+$ openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -out ca.cert.pem -extensions v3_ca
+Enter pass phrase for ca.key.pem:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:CO
+Locality Name (eg, city) []:Boulder
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:tiller
+Organizational Unit Name (eg, section) []:
+Common Name (e.g. server FQDN or YOUR name) []:tiller
+Email Address []:tiller@example.com
+```
+
+Note that the data input above is _sample data_. You should customize to your own
+specifications.
+
+The above will generate both a secret key and a CA. Note that these two files are
+very important. The key in particular should be handled with particular care.
+
+Often, you will want to generate an intermediate signing key. For the sake of brevity,
+we will be signing keys with our root CA.
+
+### Generating Certificates
+
+We will be generating two certificates, each representing a type of certificate:
+
+- One certificate is for Tiller. You will want one of these _per tiller host_ that
+  you run.
+- One certificate is for the user. You will want one of these _per helm user_.
+
+Since the commands to generate these are the same, we'll be creating both at the
+same time. The names will indicate their target.
+
+First, the Tiller key:
+
+```console
+$ openssl genrsa -out ./tiller.key.pem 4096
+Generating RSA private key, 4096 bit long modulus
+..........................................................................................................................................................................................................................................................................................................................++
+............................................................................++
+e is 65537 (0x10001)
+Enter pass phrase for ./tiller.key.pem:
+Verifying - Enter pass phrase for ./tiller.key.pem:
+```
+
+Next, generate the Helm client's key:
+
+```console
+$ openssl genrsa -out ./helm.key.pem 4096
+Generating RSA private key, 4096 bit long modulus
+.....++
+......................................................................................................................................................................................++
+e is 65537 (0x10001)
+Enter pass phrase for ./helm.key.pem:
+Verifying - Enter pass phrase for ./helm.key.pem:
+```
+
+Again, for production use you will generate one client certificate for each user.
+
+Next we need to create certificates from these keys. For each certificate, this is
+a two-step process of creating a CSR, and then creating the certificate.
+
+```console
+$ openssl req -key tiller.key.pem -new -sha256 -out tiller.csr.pem
+Enter pass phrase for tiller.key.pem:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:US
+State or Province Name (full name) [Some-State]:CO
+Locality Name (eg, city) []:Boulder
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tiller Server
+Organizational Unit Name (eg, section) []:
+Common Name (e.g. server FQDN or YOUR name) []:tiller-server
+Email Address []:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+```
+
+And we repeat this step for the Helm client certificate:
+
+```console
+$ openssl req -key helm.key.pem -new -sha256 -out helm.csr.pem
+# Answer the questions with your client user's info
+```
+
+(In rare cases, we've had to add the `-nodes` flag when generating the request.)
+
+Now we sign each of these CSRs with the CA certificate we created:
+
+```console
+$ openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem
+Signature ok
+subject=/C=US/ST=CO/L=Boulder/O=Tiller Server/CN=tiller-server
+Getting CA Private Key
+Enter pass phrase for ca.key.pem:
+```
+
+And again for the client certificate:
+
+```console
+$ openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in helm.csr.pem -out helm.cert.pem
+```
+
+At this point, the important files for us are these:
+
+```
+# The CA. Make sure the key is kept secret.
+ca.cert.pem
+ca.key.pem
+# The Helm client files
+helm.cert.pem
+helm.key.pem
+# The Tiller server files.
+tiller.cert.pem
+tiller.key.pem
+```
+
+Now we're ready to move on to the next steps.
+
+## Creating a Custom Tiller Installation
+
+Helm includes full support for creating a deployment configured for SSL. By specifying
+a few flags, the `helm init` command can create a new Tiller installation complete
+with all of our SSL configuration.
+
+To take a look at what this will generate, run this command:
+
+```console
+$ helm init --dry-run --debug --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem
+```
+
+The output will show you a Deployment, a Secret, and a Service. Your SSL information
+will be preloaded into the Secret, which the Deployment will mount to pods as they
+start up.
+
+If you want to customize the manifest, you can save that output to a file and then
+use `kubectl create` to load it into your cluster.
+
+> We strongly recommend enabling RBAC on your cluster and adding [service accounts](service_accounts.md)
+> with RBACS.
+
+Otherwise, you can remove the `--dry-run` and `--debug` flags. We also recommend
+putting Tiller in a non-system namespace (`--tiller-namespace=something`) and enable
+a service account (`--service-account=somename`). But for this example we will stay
+with the basics:
+
+```console
+$ helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem
+```
+
+In a minute or two it should be ready. We can check Tiller like this:
+
+```console
+$ kubectl -n kube-system get deployment
+NAME            DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
+... other stuff
+tiller-deploy   1         1         1            1           2m
+```
+
+If there is a problem, you may want to use `kubectl get pods -n kube-system` to
+find out what went wrong. With the SSL/TLS support, the most common problems all
+have to do with improperly generated TLS certificates or accidentally swapping the
+cert and the key.
+
+At this point, you should get a _failure_ when you run basic Helm commands:
+
+```console
+$ helm ls
+Error: transport is closing
+```
+
+This is because your Helm client does not have the correct certificate to authenticate
+to Tiller.
+
+## Configuring the Helm Client
+
+The Tiller server is now running with TLS protection. It's time to configure the
+Helm client to also perform TLS operations.
+
+For a quick test, we can specify our configuration manually. We'll run a normal
+Helm command (`helm ls`), but with SSL/TLS enabled.
+
+```console
+helm ls --tls --tls-ca-cert ca.cert.pem --tls-cert helm.cert.pem --tls-key helm.key.pem
+```
+
+This configuration sends our client-side certificate to establish identity, uses
+the client key for encryption, and uses the CA certificate to validate the remote
+Tiller's identity.
+
+Typing a line that that is cumbersome, though. The shortcut is to move the key,
+cert, and CA into `$HELM_HOME`:
+
+```console
+$ cp ca.cert.pem $(helm home)/ca.pem
+$ cp helm.cert.pem $(helm home)/cert.pem
+$ cp helm.key.pem $(helm home)/key.pem
+```
+
+With this, you can simply run `helm ls --tls` to enable TLS.
+
+### Troubleshooting
+
+*Running a command, I get `Error: transport is closing`*
+
+This is almost always due to a configuration error in which the client is missing
+a certificate (`--tls-cert`) or the certificate is bad.
+
+*I'm using a certificate, but get `Error: remote error: tls: bad certificate`*
+
+This means that Tiller's CA cannot verify your certificate. In the examples above,
+we used a single CA to generate both the client and server certificates. In these
+examples, the CA has _signed_ the client's certificate. We then load that CA
+up to Tiller. So when the client certificate is sent to the server, Tiller
+checks the client certificate against the CA.
+
+*If I use `--tls-verify` on the client, I get `Error: x509: certificate is valid for tiller-server, not localhost`*
+
+If you plan to use `--tls-verify` on the client, you will need to make sure that
+the host name that Helm connects to matches the host name on the certificate. In
+some cases this is awkward, since Helm will connect over localhost, or the FQDN is
+not available for public resolution.
+
+## References
+
+https://github.com/denji/golang-tls
+https://www.openssl.org/docs/
+https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html
diff --git a/pkg/tlsutil/tls.go b/pkg/tlsutil/tls.go
index 422bddacb5abb2dceb4489432e503f470fea7b8a..df698fd4ebbebdbd659f2fe84e7d92edbd46e763 100644
--- a/pkg/tlsutil/tls.go
+++ b/pkg/tlsutil/tls.go
@@ -65,7 +65,7 @@ func CertPoolFromFile(filename string) (*x509.CertPool, error) {
 func CertFromFilePair(certFile, keyFile string) (*tls.Certificate, error) {
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	if err != nil {
-		return nil, fmt.Errorf("can't load key pair from cert %s and key %s", certFile, keyFile)
+		return nil, fmt.Errorf("can't load key pair from cert %s and key %s: %s", certFile, keyFile, err)
 	}
 	return &cert, err
 }