diff --git a/pkg/rpc/context.go b/pkg/rpc/context.go
index af336663857d..9ac77f3a0ac4 100644
--- a/pkg/rpc/context.go
+++ b/pkg/rpc/context.go
@@ -717,13 +717,15 @@ func (ctx *Context) grpcDialOptions(
 	if ctx.Config.Insecure {
 		dialOpts = append(dialOpts, grpc.WithInsecure())
 	} else {
-		// TODO(tbg): complete this logic to use tenant client certs if ctx.tenID is
-		// not the system tenant.
-		const tenant = false
 		var err error
 		var tlsConfig *tls.Config
-		if !tenant {
+		// TODO(tbg): remove this override when the KV layer can authenticate tenant
+		// client certs.
+		const override = true
+		if override || ctx.tenID == roachpb.SystemTenantID {
 			tlsConfig, err = ctx.GetClientTLSConfig()
+		} else {
+			tlsConfig, err = ctx.GetTenantClientTLSConfig()
 		}
 
 		if err != nil {
diff --git a/pkg/rpc/tls.go b/pkg/rpc/tls.go
index 84e511b52ba5..3546c24f3450 100644
--- a/pkg/rpc/tls.go
+++ b/pkg/rpc/tls.go
@@ -146,6 +146,30 @@ func (ctx *SecurityContext) GetClientTLSConfig() (*tls.Config, error) {
 	return tlsCfg, nil
 }
 
+// GetTenantClientTLSConfig returns the client TLS config for the tenant, provided
+// the SecurityContext operates on behalf of a secondary tenant (i.e. not the
+// system tenant).
+//
+// If Insecure is true, return a nil config, otherwise retrieves the client
+// certificate for the configured tenant from the cert manager.
+func (ctx *SecurityContext) GetTenantClientTLSConfig() (*tls.Config, error) {
+	// Early out.
+	if ctx.config.Insecure {
+		return nil, nil
+	}
+
+	cm, err := ctx.GetCertificateManager()
+	if err != nil {
+		return nil, wrapError(err)
+	}
+
+	tlsCfg, err := cm.GetTenantClientTLSConfig()
+	if err != nil {
+		return nil, wrapError(err)
+	}
+	return tlsCfg, nil
+}
+
 // getUIClientTLSConfig returns the client TLS config for Admin UI clients, initializing it if needed.
 // If Insecure is true, return a nil config, otherwise ask the certificate
 // manager for a TLS config configured to talk to the Admin UI.