diff --git a/cmd/pomerium-cli/kubernetes.go b/cmd/pomerium-cli/kubernetes.go
index 113f4e875..d0847a48b 100644
--- a/cmd/pomerium-cli/kubernetes.go
+++ b/cmd/pomerium-cli/kubernetes.go
@@ -15,20 +15,8 @@ import (
 	"github.com/pomerium/pomerium/internal/authclient"
 )
 
-var kubernetesExecCredentialOption struct {
-	disableTLSVerification bool
-	alternateCAPath        string
-	caCert                 string
-}
-
 func init() {
-	flags := kubernetesExecCredentialCmd.Flags()
-	flags.BoolVar(&kubernetesExecCredentialOption.disableTLSVerification, "disable-tls-verification", false,
-		"disables TLS verification")
-	flags.StringVar(&kubernetesExecCredentialOption.alternateCAPath, "alternate-ca-path", "",
-		"path to CA certificate to use for HTTP requests")
-	flags.StringVar(&kubernetesExecCredentialOption.caCert, "ca-cert", "",
-		"base64-encoded CA TLS certificate to use for HTTP requests")
+	addTLSFlags(kubernetesExecCredentialCmd)
 	kubernetesCmd.AddCommand(kubernetesExecCredentialCmd)
 	rootCmd.AddCommand(kubernetesCmd)
 }
@@ -57,11 +45,7 @@ var kubernetesExecCredentialCmd = &cobra.Command{
 
 		var tlsConfig *tls.Config
 		if serverURL.Scheme == "https" {
-			tlsConfig = getTLSConfig(
-				kubernetesExecCredentialOption.disableTLSVerification,
-				kubernetesExecCredentialOption.caCert,
-				kubernetesExecCredentialOption.alternateCAPath,
-			)
+			tlsConfig = getTLSConfig()
 		}
 
 		ac := authclient.New(authclient.WithTLSConfig(tlsConfig))
diff --git a/cmd/pomerium-cli/main.go b/cmd/pomerium-cli/main.go
index c140c2f4b..408c6200c 100644
--- a/cmd/pomerium-cli/main.go
+++ b/cmd/pomerium-cli/main.go
@@ -26,14 +26,30 @@ func fatalf(msg string, args ...interface{}) {
 	os.Exit(1)
 }
 
-func getTLSConfig(insecureSkipVerify bool, caCert, alternateCAPath string) *tls.Config {
+var tlsOptions struct {
+	disableTLSVerification bool
+	alternateCAPath        string
+	caCert                 string
+}
+
+func addTLSFlags(cmd *cobra.Command) {
+	flags := cmd.Flags()
+	flags.BoolVar(&tlsOptions.disableTLSVerification, "disable-tls-verification", false,
+		"disables TLS verification")
+	flags.StringVar(&tlsOptions.alternateCAPath, "alternate-ca-path", "",
+		"path to CA certificate to use for HTTP requests")
+	flags.StringVar(&tlsOptions.caCert, "ca-cert", "",
+		"base64-encoded CA TLS certificate to use for HTTP requests")
+}
+
+func getTLSConfig() *tls.Config {
 	cfg := new(tls.Config)
-	if insecureSkipVerify {
+	if tlsOptions.disableTLSVerification {
 		cfg.InsecureSkipVerify = true
 	}
-	if caCert != "" {
+	if tlsOptions.caCert != "" {
 		var err error
-		cfg.RootCAs, err = cryptutil.GetCertPool(caCert, alternateCAPath)
+		cfg.RootCAs, err = cryptutil.GetCertPool(tlsOptions.caCert, tlsOptions.alternateCAPath)
 		if err != nil {
 			fatalf("%s", err)
 		}
diff --git a/cmd/pomerium-cli/tcp.go b/cmd/pomerium-cli/tcp.go
index eb16785f1..9f4e9b59e 100644
--- a/cmd/pomerium-cli/tcp.go
+++ b/cmd/pomerium-cli/tcp.go
@@ -25,6 +25,7 @@ var tcpCmdOptions struct {
 }
 
 func init() {
+	addTLSFlags(tcpCmd)
 	flags := tcpCmd.Flags()
 	flags.StringVar(&tcpCmdOptions.listen, "listen", "127.0.0.1:0",
 		"local address to start a listener on")
@@ -63,7 +64,7 @@ var tcpCmd = &cobra.Command{
 
 		var tlsConfig *tls.Config
 		if pomeriumURL.Scheme == "https" {
-			tlsConfig = getTLSConfig(false, "", "")
+			tlsConfig = getTLSConfig()
 		}
 
 		l := zerolog.New(zerolog.NewConsoleWriter(func(w *zerolog.ConsoleWriter) {