diff --git a/teos/src/cli.rs b/teos/src/cli.rs
index 47a36bc6..059ea49f 100644
--- a/teos/src/cli.rs
+++ b/teos/src/cli.rs
@@ -2,12 +2,16 @@ use serde_json::to_string_pretty as pretty_json;
 use std::fs;
 use std::str::FromStr;
 use structopt::StructOpt;
-use tonic::Request;
+use tonic::{
+    transport::{Channel, ClientTlsConfig},
+    Request,
+};
 
 use teos::cli_config::{Command, Config, Opt};
 use teos::config;
 use teos::protos as msgs;
 use teos::protos::private_tower_services_client::PrivateTowerServicesClient;
+use teos::tls::Identity;
 use teos_common::UserId;
 
 #[tokio::main]
@@ -27,17 +31,37 @@ async fn main() {
     let mut conf = config::from_file::<Config>(path.join("teos.toml"));
     conf.patch_with_options(opt);
 
-    // Create gRPC client and send request
-    let mut client =
-        PrivateTowerServicesClient::connect(format!("http://{}:{}", conf.rpc_bind, conf.rpc_port))
-            .await
-            .unwrap_or_else(|e| {
-                eprintln!("Cannot connect to the tower. Connection refused");
-                if conf.debug {
-                    eprintln!("{:?}", e);
-                }
-                std::process::exit(1);
-            });
+    let client_key_path = path.join("client-key.pem");
+    let client_cert_path = path.join("client.pem");
+    let ca_cert_path = path.join("ca.pem");
+    let key = std::fs::read(&client_key_path).expect("unable to read client key from disk");
+    let certificate =
+        std::fs::read(client_cert_path).expect("unable to read client cert from disk");
+    let client_id = Identity { certificate, key };
+    let ca_cert = std::fs::read(ca_cert_path).expect("unable to read ca cert from disk");
+    let ca_cert = tonic::transport::Certificate::from_pem(ca_cert);
+
+    let tls = ClientTlsConfig::new()
+        .domain_name("localhost")
+        .ca_certificate(ca_cert)
+        .identity(client_id.to_tonic_identity());
+
+    let endpoint = format!("http://{}:{}", conf.rpc_bind, conf.rpc_port);
+    let channel = Channel::from_shared(endpoint)
+        .expect("Cannot create channel from endpoint")
+        .tls_config(tls)
+        .unwrap_or_else(|e| {
+            eprintln!("Could not configure tls: {:?}", e);
+            std::process::exit(1);
+        })
+        .connect()
+        .await
+        .unwrap_or_else(|e| {
+            eprintln!("Could not connect to tower: {:?}", e);
+            std::process::exit(1);
+        });
+
+    let mut client = PrivateTowerServicesClient::new(channel);
 
     match command {
         Command::GetAllAppointments => {