diff --git a/middleware/etcd/setup.go b/middleware/etcd/setup.go
index 380b57167..bedc154f8 100644
--- a/middleware/etcd/setup.go
+++ b/middleware/etcd/setup.go
@@ -2,9 +2,6 @@ package etcd
 
 import (
 	"crypto/tls"
-	"net"
-	"net/http"
-	"time"
 
 	"github.com/coredns/coredns/core/dnsserver"
 	"github.com/coredns/coredns/middleware"
@@ -135,7 +132,7 @@ func etcdParse(c *caddy.Controller) (*Etcd, bool, error) {
 func newEtcdClient(endpoints []string, cc *tls.Config) (etcdc.KeysAPI, error) {
 	etcdCfg := etcdc.Config{
 		Endpoints: endpoints,
-		Transport: newHTTPSTransport(cc),
+		Transport: mwtls.NewHTTPSTransport(cc),
 	}
 	cli, err := etcdc.New(etcdCfg)
 	if err != nil {
@@ -144,23 +141,4 @@ func newEtcdClient(endpoints []string, cc *tls.Config) (etcdc.KeysAPI, error) {
 	return etcdc.NewKeysAPI(cli), nil
 }
 
-func newHTTPSTransport(cc *tls.Config) etcdc.CancelableTransport {
-	// this seems like a bad idea but was here in the previous version
-	if cc != nil {
-		cc.InsecureSkipVerify = true
-	}
-
-	tr := &http.Transport{
-		Proxy: http.ProxyFromEnvironment,
-		Dial: (&net.Dialer{
-			Timeout:   30 * time.Second,
-			KeepAlive: 30 * time.Second,
-		}).Dial,
-		TLSHandshakeTimeout: 10 * time.Second,
-		TLSClientConfig:     cc,
-	}
-
-	return tr
-}
-
 const defaultEndpoint = "http://localhost:2379"
diff --git a/middleware/pkg/tls/tls.go b/middleware/pkg/tls/tls.go
index 62889f542..13882c353 100644
--- a/middleware/pkg/tls/tls.go
+++ b/middleware/pkg/tls/tls.go
@@ -5,6 +5,9 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
+	"net"
+	"net/http"
+	"time"
 )
 
 // NewTLSConfigFromArgs returns a TLS config based upon the passed
@@ -102,3 +105,23 @@ func loadRoots(caPath string) (*x509.CertPool, error) {
 	}
 	return roots, nil
 }
+
+// NetHTTPSTransport returns an HTTP transport configured using tls.Config
+func NewHTTPSTransport(cc *tls.Config) *http.Transport {
+	// this seems like a bad idea but was here in the previous version
+	if cc != nil {
+		cc.InsecureSkipVerify = true
+	}
+
+	tr := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+		TLSClientConfig:     cc,
+	}
+
+	return tr
+}
diff --git a/middleware/pkg/tls/tls_test.go b/middleware/pkg/tls/tls_test.go
index 6d0cb7372..408469045 100644
--- a/middleware/pkg/tls/tls_test.go
+++ b/middleware/pkg/tls/tls_test.go
@@ -79,3 +79,23 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
 		t.Error("Certificateis should have a single entry when three args passed")
 	}
 }
+
+func TestNewHTTPSTransport(t *testing.T) {
+	rmFunc, _, _, ca := getPEMFiles(t)
+	defer rmFunc()
+
+	cc, err := NewTLSClientConfig(ca)
+	if err != nil {
+		t.Errorf("Failed to create TLSConfig: %s", err)
+	}
+
+	tr := NewHTTPSTransport(cc)
+	if tr == nil {
+		t.Errorf("Failed to create https transport with cc")
+	}
+
+	tr = NewHTTPSTransport(nil)
+	if tr == nil {
+		t.Errorf("Failed to create https transport without cc")
+	}
+}