diff --git a/examples/aws/README.md b/examples/aws/README.md
index cc699daaae..2be04394fa 100644
--- a/examples/aws/README.md
+++ b/examples/aws/README.md
@@ -457,6 +457,7 @@ The CF and Diego release repositories provide scripts to generate the necessary
 1. To generate certificates for consul, loggregator run:
 ```bash
 cd $DEPLOYMENT_DIR/certs
+$CF_RELEASE_DIR/scripts/generate-cf-diego-certs
 $CF_RELEASE_DIR/scripts/generate-consul-certs
 $CF_RELEASE_DIR/scripts/generate-loggregator-certs
 ```
@@ -477,7 +478,7 @@ popd
 
 1. To generate certificates for BBS servers in the Diego deployment, run:
 ```bash
-$DIEGO_RELEASE_DIR/scripts/generate-diego-certs
+$DIEGO_RELEASE_DIR/scripts/generate-diego-certs cf-diego-ca $CF_RELEASE_DIR/cf-diego-certs
 mv $DIEGO_RELEASE_DIR/diego-certs/* $DEPLOYMENT_DIR/certs
 ```
 
@@ -526,6 +527,7 @@ DEPLOYMENT_DIR/certs
 
 You can ignore any files with a `crl` or `csr` extension.
 
+The certificates in `cf-diego-certs` are used to set SSL properties for the communication between CF and Diego.
 The certificates in `consul-certs` are used to set SSL properties for the consul VMs.
 The certificates in `loggregator-certs` are used to set SSL properties for the Loggregator subsystem.
 The certificates in `uaa-certs` are used to set SSL properties for the UAA subsystem.
diff --git a/examples/aws/deploy_aws_environment b/examples/aws/deploy_aws_environment
index 31b4f2776b..23a9e3be36 100755
--- a/examples/aws/deploy_aws_environment
+++ b/examples/aws/deploy_aws_environment
@@ -49,6 +49,10 @@ cf_credentials() {
 ---
 cf_credentials:
   ssh_host_key_fingerprint: "$(cat keypair/ssh-proxy-host-key-fingerprint)"
+  cc:
+$(block ca_cert      certs/cf-diego-certs/cf-diego-ca.crt      | indent | indent)
+$(block public_cert  certs/cf-diego-certs/cloud-controller.crt | indent | indent)
+$(block private_key  certs/cf-diego-certs/cloud-controller.key | indent | indent)
   consul:
 $(block ca_cert     certs/consul-certs/server-ca.crt | indent | indent)
 $(block agent_cert  certs/consul-certs/agent.crt     | indent | indent)
diff --git a/examples/aws/templates/cf/stub-internal.yml b/examples/aws/templates/cf/stub-internal.yml
index 9e015412e2..452b40658f 100644
--- a/examples/aws/templates/cf/stub-internal.yml
+++ b/examples/aws/templates/cf/stub-internal.yml
@@ -171,6 +171,10 @@ properties:
       droplet_directory_key: (( Resources.Bucket.Droplets ))
     buildpacks:
       buildpack_directory_key: (( Resources.Bucket.Buildpacks ))
+    mutual_tls:
+      ca_cert: (( cf_credentials.cc.ca_cert ))
+      public_cert: (( cf_credentials.cc.public_cert ))
+      private_key: (( cf_credentials.cc.private_key ))
 
   ccdb:
     address: (( properties.databases.address ))
diff --git a/examples/aws/templates/cf/stub.yml b/examples/aws/templates/cf/stub.yml
index 917b749984..a23a2f6357 100644
--- a/examples/aws/templates/cf/stub.yml
+++ b/examples/aws/templates/cf/stub.yml
@@ -177,6 +177,10 @@ properties:
       droplet_directory_key: (( merge ))
     buildpacks:
       buildpack_directory_key: (( merge ))
+    mutual_tls:
+      ca_cert: (( merge ))
+      public_cert: (( merge ))
+      private_key: (( merge ))
 
   loggregator:
     tls:
diff --git a/scripts/generate-diego-certs b/scripts/generate-diego-certs
index a0409a1521..f1e2031dc8 100755
--- a/scripts/generate-diego-certs
+++ b/scripts/generate-diego-certs
@@ -2,11 +2,23 @@
 
 set -e -x
 
+existing_ca="$1"
+existing_depot="$2"
+
 pushd `dirname "$0"`/..
-  scripts/generate-diego-ca-certs
-  scripts/generate-bbs-certs diego-ca diego-certs
-  scripts/generate-rep-certs diego-ca diego-certs
-  scripts/generate-auctioneer-certs diego-ca diego-certs
+  if [ -z "$existing_ca" ]; then
+    scripts/generate-diego-ca-certs
+    existing_ca=diego-ca
+  fi
+
+  if [ -z "$existing_depot" ]; then
+    existing_depot=diego-certs
+  fi
+
+  scripts/generate-bbs-certs "$existing_ca" "$existing_depot"
+  scripts/generate-rep-certs "$existing_ca" "$existing_depot"
+  scripts/generate-auctioneer-certs "$existing_ca" "$existing_depot"
+  scripts/generate-tps-certs "$existing_ca" "$existing_depot"
 popd
 
 echo "Outputted certs to diego-certs"
diff --git a/scripts/generate-tps-certs b/scripts/generate-tps-certs
new file mode 100755
index 0000000000..30be355fdd
--- /dev/null
+++ b/scripts/generate-tps-certs
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+set -e -x
+
+usage() {
+  >&2 echo "    Usage:
+    $0 DIEGO_CA_NAME DIEGO_CA_CERT_DIRECTORY
+
+    Ex:
+    $0 diegoCA ~/workspace/diego-release/diego-certs/
+"
+  exit 1
+}
+
+ca_name=$1
+ca_cert_directory=$2
+
+if [ -z "${ca_name}" ]; then
+  >&2 echo "Specify a CA"
+  usage
+fi
+
+if [ ! -d "${ca_cert_directory}" ]; then
+  >&2 echo "Specify location of CA cert and key"
+  usage
+fi
+
+# Install certstrap
+go get -v github.com/square/certstrap
+
+# Place keys and certificates here
+output_path="diego-certs/tps-certs"
+mkdir -p ${output_path}
+
+client_cn='tps_watcher'
+certstrap --depot-path ${ca_cert_directory} request-cert --passphrase '' --common-name $client_cn
+certstrap --depot-path ${ca_cert_directory} sign $client_cn --CA $ca_name
+mv -f "${ca_cert_directory}/${client_cn}.key" "${output_path}/client.key"
+mv -f "${ca_cert_directory}/${client_cn}.csr" "${output_path}/client.csr"
+mv -f "${ca_cert_directory}/${client_cn}.crt" "${output_path}/client.crt"