diff --git a/grpc.go b/grpc.go
index 3cace959..af5a6ace 100644
--- a/grpc.go
+++ b/grpc.go
@@ -192,3 +192,25 @@ func WithServerHSPKI() []grpc.ServerOption {
 
 	return []grpc.ServerOption{creds, interceptor}
 }
+
+func WithClientHSPKI() grpc.DialOption {
+	certPool := x509.NewCertPool()
+	ca, err := ioutil.ReadFile(flagCAPath)
+	if err != nil {
+		glog.Exitf("WithClientHSPKI: cannot load CA certificate: %v", err)
+	}
+	if ok := certPool.AppendCertsFromPEM(ca); !ok {
+		glog.Exitf("WithClientHSPKI: cannot use CA certificate: %v", err)
+	}
+
+	clientCert, err := tls.LoadX509KeyPair(flagCertificatePath, flagKeyPath)
+	if err != nil {
+		glog.Exitf("WithClientHSPKI: cannot load service certificate/key: %v", err)
+	}
+
+	creds := credentials.NewTLS(&tls.Config{
+		Certificates: []tls.Certificate{clientCert},
+		RootCAs:      certPool,
+	})
+	return grpc.WithTransportCredentials(creds)
+}