diff --git a/pkg/BUILD.bazel b/pkg/BUILD.bazel
index 7563a924ea27..782a4730ec38 100644
--- a/pkg/BUILD.bazel
+++ b/pkg/BUILD.bazel
@@ -241,7 +241,6 @@ ALL_TESTS = [
     "//pkg/storage:storage_test",
     "//pkg/testutils/keysutils:keysutils_test",
     "//pkg/testutils/lint/passes/fmtsafe:fmtsafe_test",
-    "//pkg/testutils/lint/passes/forbiddenmethod:descriptormarshal_test",
     "//pkg/testutils/lint/passes/forbiddenmethod:forbiddenmethod_test",
     "//pkg/testutils/lint/passes/hash:hash_test",
     "//pkg/testutils/lint/passes/nocopy:nocopy_test",
diff --git a/pkg/base/config.go b/pkg/base/config.go
index 6162abf07eb0..8496f450e70a 100644
--- a/pkg/base/config.go
+++ b/pkg/base/config.go
@@ -167,6 +167,10 @@ type Config struct {
 	// SSLCertsDir is the path to the certificate/key directory.
 	SSLCertsDir string
 
+	// InitToken is a shared initialization token for generating TLS certificates
+	// across multiple nodes.
+	InitToken string
+
 	// User running this process. It could be the user under which
 	// the server is running or the user passed in client calls.
 	User security.SQLUsername
diff --git a/pkg/cli/BUILD.bazel b/pkg/cli/BUILD.bazel
index f99c75af4b86..cecb5c12a3d6 100644
--- a/pkg/cli/BUILD.bazel
+++ b/pkg/cli/BUILD.bazel
@@ -8,6 +8,7 @@ go_library(
         "cert.go",
         "cli.go",
         "client_url.go",
+        "connect.go",
         "context.go",
         "cpuprofile.go",
         "debug.go",
diff --git a/pkg/cli/cli.go b/pkg/cli/cli.go
index 47db06568608..8318147493aa 100644
--- a/pkg/cli/cli.go
+++ b/pkg/cli/cli.go
@@ -237,6 +237,8 @@ func init() {
 		startSingleNodeCmd,
 		initCmd,
 		certCmd,
+		// TODO(bilal): Uncomment this when the connect command does something useful.
+		// connectCmd,
 		quitCmd,
 
 		sqlShellCmd,
diff --git a/pkg/cli/cliflags/flags.go b/pkg/cli/cliflags/flags.go
index c7046a4856ac..707ecbe7ebb7 100644
--- a/pkg/cli/cliflags/flags.go
+++ b/pkg/cli/cliflags/flags.go
@@ -711,6 +711,11 @@ Instead, require the user to always specify access keys.`,
 		Description: `Prompt for the new user's password.`,
 	}
 
+	InitToken = FlagInfo{
+		Name:        "init-token",
+		Description: `Shared token for initialization of node TLS certificates`,
+	}
+
 	CertsDir = FlagInfo{
 		Name:        "certs-dir",
 		EnvVar:      "COCKROACH_CERTS_DIR",
diff --git a/pkg/cli/connect.go b/pkg/cli/connect.go
new file mode 100644
index 000000000000..df77327ae5bb
--- /dev/null
+++ b/pkg/cli/connect.go
@@ -0,0 +1,34 @@
+// Copyright 2021 The Cockroach Authors.
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package cli
+
+import "github.com/spf13/cobra"
+
+// connectCmd triggers a TLS initialization handshake and writes
+// certificates in the specified certs-dir for use with start.
+var connectCmd = &cobra.Command{
+	Use:   "connect --certs-dir=<path to cockroach certs dir> --init-token=<shared secret> --join=<host 1>,<host 2>,...,<host N>",
+	Short: "build TLS certificates for use with the start command",
+	Long: `
+Connects to other nodes and negotiates an initialization bundle for use with
+secure inter-node connections.
+`,
+	Args: cobra.NoArgs,
+	RunE: MaybeDecorateGRPCError(runConnect),
+}
+
+// runConnect connects to other nodes and negotiates an initialization bundle
+// for use with secure inter-node connections.
+func runConnect(cmd *cobra.Command, args []string) error {
+	// TODO(bilal): Implement TLS init handshake.
+	// https://github.com/cockroachdb/cockroach/issues/60632
+	return nil
+}
diff --git a/pkg/cli/flags.go b/pkg/cli/flags.go
index dc034a53de9d..bba418a954e5 100644
--- a/pkg/cli/flags.go
+++ b/pkg/cli/flags.go
@@ -472,6 +472,15 @@ func init() {
 		stringSliceFlag(f, &cliCtx.certPrincipalMap, cliflags.CertPrincipalMap)
 	}
 
+	// Flags for the connect command.
+	{
+		f := connectCmd.Flags()
+		stringFlag(f, &baseCfg.SSLCertsDir, cliflags.CertsDir)
+		stringFlag(f, &baseCfg.InitToken, cliflags.InitToken)
+		varFlag(f, addrSetter{&startCtx.serverListenAddr, &serverListenPort}, cliflags.ListenAddr)
+		varFlag(f, &serverCfg.JoinList, cliflags.Join)
+	}
+
 	for _, cmd := range []*cobra.Command{
 		createCACertCmd,
 		createClientCACertCmd,
diff --git a/pkg/cmd/roachvet/BUILD.bazel b/pkg/cmd/roachvet/BUILD.bazel
index a98b8f348b9c..9244fa3ca40b 100644
--- a/pkg/cmd/roachvet/BUILD.bazel
+++ b/pkg/cmd/roachvet/BUILD.bazel
@@ -8,7 +8,7 @@ go_library(
     deps = [
         "//pkg/testutils/lint/passes/errcmp",
         "//pkg/testutils/lint/passes/fmtsafe",
-        "//pkg/testutils/lint/passes/forbiddenmethod:descriptormarshal",
+        "//pkg/testutils/lint/passes/forbiddenmethod",
         "//pkg/testutils/lint/passes/hash",
         "//pkg/testutils/lint/passes/nocopy",
         "//pkg/testutils/lint/passes/returnerrcheck",
diff --git a/pkg/testutils/lint/passes/forbiddenmethod/BUILD.bazel b/pkg/testutils/lint/passes/forbiddenmethod/BUILD.bazel
index d0c4f0ae0d67..9e4cfe35c85a 100644
--- a/pkg/testutils/lint/passes/forbiddenmethod/BUILD.bazel
+++ b/pkg/testutils/lint/passes/forbiddenmethod/BUILD.bazel
@@ -1,7 +1,7 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 
 go_library(
-    name = "descriptormarshal",
+    name = "forbiddenmethod",
     srcs = [
         "analyzers.go",
         "forbiddenmethod.go",
@@ -17,24 +17,13 @@ go_library(
 )
 
 go_test(
-    name = "descriptormarshal_test",
+    name = "forbiddenmethod_test",
     size = "small",
     srcs = ["descriptormarshal_test.go"],
     data = glob(["testdata/**"]),
     tags = ["broken_in_bazel"],
     deps = [
-        ":descriptormarshal",
-        "//pkg/testutils/skip",
-        "@org_golang_x_tools//go/analysis/analysistest",
-    ],
-)
-
-go_test(
-    name = "forbiddenmethod_test",
-    srcs = ["descriptormarshal_test.go"],
-    data = glob(["testdata/**"]),
-    deps = [
-        ":descriptormarshal",
+        ":forbiddenmethod",
         "//pkg/testutils/skip",
         "@org_golang_x_tools//go/analysis/analysistest",
     ],
diff --git a/pkg/testutils/lint/passes/passesutil/BUILD.bazel b/pkg/testutils/lint/passes/passesutil/BUILD.bazel
index 2f8588db1061..be7ede8e9826 100644
--- a/pkg/testutils/lint/passes/passesutil/BUILD.bazel
+++ b/pkg/testutils/lint/passes/passesutil/BUILD.bazel
@@ -17,7 +17,7 @@ go_test(
     srcs = ["passes_util_test.go"],
     tags = ["broken_in_bazel"],
     deps = [
-        "//pkg/testutils/lint/passes/forbiddenmethod:descriptormarshal",
+        "//pkg/testutils/lint/passes/forbiddenmethod",
         "//pkg/testutils/lint/passes/unconvert",
         "//pkg/testutils/skip",
         "@com_github_stretchr_testify//require",