diff --git a/broker/http_broker.go b/broker/http_broker.go
index c78c028d..bface133 100644
--- a/broker/http_broker.go
+++ b/broker/http_broker.go
@@ -144,11 +144,15 @@ func (h *httpBroker) start() error {
 	var err error
 
 	if h.opts.Secure {
-		cert, err := mls.Certificate(h.address)
-		if err != nil {
-			return err
+		config := h.opts.TLSConfig
+		if config == nil {
+			cert, err := mls.Certificate(h.address)
+			if err != nil {
+				return err
+			}
+			config = &tls.Config{Certificates: []tls.Certificate{cert}}
 		}
-		l, err = tls.Listen("tcp", h.address, &tls.Config{Certificates: []tls.Certificate{cert}})
+		l, err = tls.Listen("tcp", h.address, config)
 	} else {
 		l, err = net.Listen("tcp", h.address)
 	}
diff --git a/broker/options.go b/broker/options.go
index 73008358..77f5ce69 100644
--- a/broker/options.go
+++ b/broker/options.go
@@ -1,11 +1,14 @@
 package broker
 
 import (
+	"crypto/tls"
+
 	"golang.org/x/net/context"
 )
 
 type Options struct {
-	Secure bool
+	Secure    bool
+	TLSConfig *tls.Config
 
 	// Other options for implementations of the interface
 	// can be stored in a context
@@ -71,3 +74,10 @@ func Secure(b bool) Option {
 		o.Secure = b
 	}
 }
+
+// Specify TLS Config
+func TLSConfig(t *tls.Config) Option {
+	return func(o *Options) {
+		o.TLSConfig = t
+	}
+}
diff --git a/registry/consul_registry.go b/registry/consul_registry.go
index 3d44fb44..e80a7fa2 100644
--- a/registry/consul_registry.go
+++ b/registry/consul_registry.go
@@ -19,7 +19,13 @@ type consulRegistry struct {
 	Options Options
 }
 
-func newTransport() *http.Transport {
+func newTransport(config *tls.Config) *http.Transport {
+	if config == nil {
+		config = &tls.Config{
+			InsecureSkipVerify: true,
+		}
+	}
+
 	t := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		Dial: (&net.Dialer{
@@ -27,9 +33,7 @@ func newTransport() *http.Transport {
 			KeepAlive: 30 * time.Second,
 		}).Dial,
 		TLSHandshakeTimeout: 10 * time.Second,
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
+		TLSClientConfig:     config,
 	}
 	runtime.SetFinalizer(&t, func(tr **http.Transport) {
 		(*tr).CloseIdleConnections()
@@ -120,7 +124,7 @@ func newConsulRegistry(addrs []string, opts ...Option) Registry {
 	if opt.Secure {
 		config.Scheme = "https"
 		// We're going to support InsecureSkipVerify
-		config.HttpClient.Transport = newTransport()
+		config.HttpClient.Transport = newTransport(opt.TLSConfig)
 	}
 
 	// create the client
diff --git a/registry/options.go b/registry/options.go
index 1cb224af..5f69b961 100644
--- a/registry/options.go
+++ b/registry/options.go
@@ -1,14 +1,16 @@
 package registry
 
 import (
+	"crypto/tls"
 	"time"
 
 	"golang.org/x/net/context"
 )
 
 type Options struct {
-	Timeout time.Duration
-	Secure  bool
+	Timeout   time.Duration
+	Secure    bool
+	TLSConfig *tls.Config
 
 	// Other options for implementations of the interface
 	// can be stored in a context
@@ -27,3 +29,10 @@ func Secure(b bool) Option {
 		o.Secure = b
 	}
 }
+
+// Specify TLS Config
+func TLSConfig(t *tls.Config) Option {
+	return func(o *Options) {
+		o.TLSConfig = t
+	}
+}