diff --git a/cli/app.go b/cli/app.go
index 61dbadc..79977f8 100644
--- a/cli/app.go
+++ b/cli/app.go
@@ -70,6 +70,11 @@ func NewCliApp() *cli.App {
 			Usage:   "Authorization header to set for gRPC requests",
 			EnvVars: []string{"TEMPORAL_CLI_AUTH"},
 		},
+		&cli.BoolFlag{
+			Name:    FlagEnableTLS,
+			Usage:   "Enable TLS",
+			EnvVars: []string{"TEMPORAL_CLI_TLS"},
+		},
 		&cli.StringFlag{
 			Name:    FlagTLSCertPath,
 			Value:   "",
diff --git a/cli/factory.go b/cli/factory.go
index a40dab4..185d753 100644
--- a/cli/factory.go
+++ b/cli/factory.go
@@ -205,6 +205,11 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to read TLS disable host verification flag: %w", err)
 	}
+	enableTLSS := c.String(FlagEnableTLS)
+	enableTLS, err := strconv.ParseBool(enableTLSS)
+	if err != nil {
+		return nil, fmt.Errorf("unable to read TLS flag: %w", err)
+	}
 
 	serverName := c.String(FlagTLSServerName)
 
@@ -256,6 +261,17 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) {
 		tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification)
 		return tlsConfig, nil
 	}
+	// If we are given a TLS flag, set the TLS server name from the address
+	if enableTLS {
+		hostPort := c.String(FlagAddress)
+		if hostPort == "" {
+			hostPort = localHostPort
+		}
+		// Ignoring error as we'll fail to dial anyway, and that will produce a meaningful error
+		host, _, _ = net.SplitHostPort(hostPort)
+		tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification)
+		return tlsConfig, nil
+	}
 
 	return nil, nil
 }
diff --git a/cli/flags.go b/cli/flags.go
index d19624f..6a55047 100644
--- a/cli/flags.go
+++ b/cli/flags.go
@@ -97,6 +97,7 @@ var (
 	FlagJobID                      = "job-id"
 	FlagYes                        = "yes"
 	FlagYesAlias                   = []string{"y"}
+	FlagEnableTLS                  = "tls"
 	FlagTLSCertPath                = "tls-cert-path"
 	FlagTLSKeyPath                 = "tls-key-path"
 	FlagTLSCaPath                  = "tls-ca-path"
diff --git a/cli_curr/app.go b/cli_curr/app.go
index deaac72..1ceddaa 100644
--- a/cli_curr/app.go
+++ b/cli_curr/app.go
@@ -77,6 +77,11 @@ func NewCliApp() *cli.App {
 			Name:  FlagAutoConfirm,
 			Usage: "Automatically confirm all prompts",
 		},
+		cli.BoolFlag{
+			Name:   FlagEnableTLS,
+			Usage:  "Enable TLS",
+			EnvVar: "TEMPORAL_CLI_TLS",
+		},
 		cli.StringFlag{
 			Name:   FlagTLSCertPath,
 			Value:  "",
diff --git a/cli_curr/factory.go b/cli_curr/factory.go
index 8debd5f..da08c81 100644
--- a/cli_curr/factory.go
+++ b/cli_curr/factory.go
@@ -184,6 +184,7 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) {
 	caPath := c.GlobalString(FlagTLSCaPath)
 	disableHostNameVerification := c.GlobalBool(FlagTLSDisableHostVerification)
 	serverName := c.GlobalString(FlagTLSServerName)
+	enableTLS := c.GlobalBool(FlagEnableTLS)
 
 	var host string
 	var cert *tls.Certificate
@@ -233,6 +234,17 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) {
 		tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification)
 		return tlsConfig, nil
 	}
+	// If we are given a TLS flag, set the TLS server name from the address
+	if enableTLS {
+		hostPort := c.GlobalString(FlagAddress)
+		if hostPort == "" {
+			hostPort = localHostPort
+		}
+		// Ignoring error as we'll fail to dial anyway, and that will produce a meaningful error
+		host, _, _ = net.SplitHostPort(hostPort)
+		tlsConfig := auth.NewTLSConfigForServer(host, !disableHostNameVerification)
+		return tlsConfig, nil
+	}
 
 	return nil, nil
 }