diff --git a/metropolis/cli/metroctl/BUILD.bazel b/metropolis/cli/metroctl/BUILD.bazel
index de0278b..8d4fee4 100644
--- a/metropolis/cli/metroctl/BUILD.bazel
+++ b/metropolis/cli/metroctl/BUILD.bazel
@@ -26,6 +26,7 @@
         "@com_github_spf13_cobra//:go_default_library",
         "@io_k8s_apimachinery//pkg/apis/meta/v1:go_default_library",
         "@io_k8s_client_go//pkg/apis/clientauthentication/v1beta1:go_default_library",
+        "@org_golang_google_grpc//:go_default_library",
     ],
 )
 
diff --git a/metropolis/cli/metroctl/takeownership.go b/metropolis/cli/metroctl/takeownership.go
index 503248a..17ed121 100644
--- a/metropolis/cli/metroctl/takeownership.go
+++ b/metropolis/cli/metroctl/takeownership.go
@@ -11,6 +11,7 @@
 
 	"github.com/adrg/xdg"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
 
 	clicontext "source.monogon.dev/metropolis/cli/pkg/context"
 	"source.monogon.dev/metropolis/node"
@@ -49,7 +50,11 @@
 	}
 	ownerPrivateKey := ed25519.PrivateKey(block.Bytes)
 
-	client, err := rpc.NewEphemeralClient(net.JoinHostPort(args[0], node.CuratorServicePort.PortString()), ownerPrivateKey, nil)
+	ephCreds, err := rpc.NewEphemeralCredentials(ownerPrivateKey, nil)
+	if err != nil {
+		log.Fatalf("Failed to create ephemeral credentials: %v", err)
+	}
+	client, err := grpc.Dial(net.JoinHostPort(args[0], node.CuratorServicePort.PortString()), grpc.WithTransportCredentials(ephCreds))
 	if err != nil {
 		log.Fatalf("Failed to create client to given node address: %v", err)
 	}
diff --git a/metropolis/node/core/cluster/BUILD.bazel b/metropolis/node/core/cluster/BUILD.bazel
index 2002571..93cc5de 100644
--- a/metropolis/node/core/cluster/BUILD.bazel
+++ b/metropolis/node/core/cluster/BUILD.bazel
@@ -24,6 +24,7 @@
         "//metropolis/proto/api:go_default_library",
         "//metropolis/proto/private:go_default_library",
         "@com_github_cenkalti_backoff_v4//:go_default_library",
+        "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_protobuf//proto:go_default_library",
     ],
 )
diff --git a/metropolis/node/core/cluster/cluster_register.go b/metropolis/node/core/cluster/cluster_register.go
index 7376b84..3acb7d7 100644
--- a/metropolis/node/core/cluster/cluster_register.go
+++ b/metropolis/node/core/cluster/cluster_register.go
@@ -12,6 +12,8 @@
 	"strings"
 	"time"
 
+	"google.golang.org/grpc"
+
 	"source.monogon.dev/metropolis/node"
 	ipb "source.monogon.dev/metropolis/node/core/curator/proto/api"
 	"source.monogon.dev/metropolis/node/core/identity"
@@ -99,7 +101,11 @@
 	// MVP: this should be properly client-side loadbalanced.
 	remote := register.ClusterDirectory.Nodes[0].Addresses[0].Host
 	remote = net.JoinHostPort(remote, strconv.Itoa(int(node.CuratorServicePort)))
-	eph, err := rpc.NewEphemeralClient(remote, priv, ca)
+	ephCreds, err := rpc.NewEphemeralCredentials(priv, ca)
+	if err != nil {
+		return fmt.Errorf("could not create ephemeral credentials: %w", err)
+	}
+	eph, err := grpc.Dial(remote, grpc.WithTransportCredentials(ephCreds))
 	if err != nil {
 		return fmt.Errorf("could not create ephemeral client to %q: %w", remote, err)
 	}
diff --git a/metropolis/node/core/curator/impl_leader_test.go b/metropolis/node/core/curator/impl_leader_test.go
index 60b1d70..b07b49f 100644
--- a/metropolis/node/core/curator/impl_leader_test.go
+++ b/metropolis/node/core/curator/impl_leader_test.go
@@ -8,6 +8,7 @@
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
+	"net"
 	"testing"
 
 	"go.etcd.io/etcd/integration"
@@ -141,19 +142,30 @@
 		externalSrv.Stop()
 	}()
 
+	withLocalDialer := grpc.WithContextDialer(func(_ context.Context, _ string) (net.Conn, error) {
+		return externalLis.Dial()
+	})
+	ca := nodeCredentials.ClusterCA()
+
 	// Create an authenticated manager gRPC client.
-	mcl, err := rpc.NewAuthenticatedClientTest(externalLis, ownerCreds, nodeCredentials.ClusterCA())
+	mcl, err := grpc.Dial("local", withLocalDialer, grpc.WithTransportCredentials(rpc.NewAuthenticatedCredentials(ownerCreds, ca)))
 	if err != nil {
 		t.Fatalf("Dialing external GRPC failed: %v", err)
 	}
 
-	// Create an ephemeral node gRPC client for the local node.
-	lcl, err := rpc.NewAuthenticatedClientTest(externalLis, nodeCredentials.TLSCredentials(), nodeCredentials.ClusterCA())
+	// Create a node gRPC client for the local node.
+	lcl, err := grpc.Dial("local", withLocalDialer,
+		grpc.WithTransportCredentials(rpc.NewAuthenticatedCredentials(nodeCredentials.TLSCredentials(), ca)))
 	if err != nil {
 		t.Fatalf("Dialing external GRPC failed: %v", err)
 	}
+
 	// Create an ephemeral node gRPC client for the 'other node'.
-	ocl, err := rpc.NewEphemeralClientTest(externalLis, otherPriv, nodeCredentials.ClusterCA())
+	otherEphCreds, err := rpc.NewEphemeralCredentials(otherPriv, ca)
+	if err != nil {
+		t.Fatalf("NewEphemeralCredentials: %v", err)
+	}
+	ocl, err := grpc.Dial("local", withLocalDialer, grpc.WithTransportCredentials(otherEphCreds))
 	if err != nil {
 		t.Fatalf("Dialing external GRPC failed: %v", err)
 	}
diff --git a/metropolis/node/core/roleserve/value_clustermembership.go b/metropolis/node/core/roleserve/value_clustermembership.go
index d699473..1a9ebc5 100644
--- a/metropolis/node/core/roleserve/value_clustermembership.go
+++ b/metropolis/node/core/roleserve/value_clustermembership.go
@@ -136,7 +136,8 @@
 	}
 	host := m.remoteCurators.Nodes[0].Addresses[0].Host
 	addr := net.JoinHostPort(host, common.CuratorServicePort.PortString())
-	return rpc.NewAuthenticatedClient(addr, m.credentials.TLSCredentials(), m.credentials.ClusterCA())
+	creds := rpc.NewAuthenticatedCredentials(m.credentials.TLSCredentials(), m.credentials.ClusterCA())
+	return grpc.Dial(addr, grpc.WithTransportCredentials(creds))
 }
 
 func (m *ClusterMembership) NodePubkey() ed25519.PublicKey {
diff --git a/metropolis/node/core/rpc/BUILD.bazel b/metropolis/node/core/rpc/BUILD.bazel
index 4d83dfe..8ec88c0 100644
--- a/metropolis/node/core/rpc/BUILD.bazel
+++ b/metropolis/node/core/rpc/BUILD.bazel
@@ -25,7 +25,6 @@
         "@org_golang_google_grpc//credentials:go_default_library",
         "@org_golang_google_grpc//peer:go_default_library",
         "@org_golang_google_grpc//status:go_default_library",
-        "@org_golang_google_grpc//test/bufconn:go_default_library",
         "@org_golang_google_protobuf//encoding/prototext:go_default_library",
         "@org_golang_google_protobuf//proto:go_default_library",
         "@org_golang_google_protobuf//reflect/protoreflect:go_default_library",
@@ -45,6 +44,7 @@
         "//metropolis/pkg/logtree:go_default_library",
         "//metropolis/proto/api:go_default_library",
         "//metropolis/proto/ext:go_default_library",
+        "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_grpc//codes:go_default_library",
         "@org_golang_google_grpc//status:go_default_library",
         "@org_golang_google_grpc//test/bufconn:go_default_library",
diff --git a/metropolis/node/core/rpc/client.go b/metropolis/node/core/rpc/client.go
index 5ff71be..70173d8 100644
--- a/metropolis/node/core/rpc/client.go
+++ b/metropolis/node/core/rpc/client.go
@@ -8,13 +8,10 @@
 	"crypto/x509"
 	"fmt"
 	"math/big"
-	"net"
 	"time"
 
-	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/status"
-	"google.golang.org/grpc/test/bufconn"
 
 	"source.monogon.dev/metropolis/node/core/identity"
 	"source.monogon.dev/metropolis/pkg/pki"
@@ -40,19 +37,23 @@
 	}
 }
 
-// NewEphemeralClient dials a cluster's services using just a self-signed
-// certificate and can be used to then escrow real cluster credentials for the
-// owner.
+// NewEphemeralCredentials returns gRPC TransportCredentials that can be used to
+// dial a cluster without authenticating with a certificate, but instead
+// authenticating by proving the possession of a private key, via an ephemeral
+// self-signed certificate.
 //
-// These self-signed certificates are used by clients connecting to the cluster
-// which want to prove ownership of an ED25519 keypair but don't have any
-// 'real' client certificate (yet). Current users include users of AAA.Escrow
-// and new nodes Registering into the Cluster.
+// Currently these credentials are used in two flows:
+//
+//   1. Registration of nodes into a cluster, after which a node receives a proper
+//      node certificate
+//
+//   2. Escrow of initial owner credentials into a proper manager
+//      certificate
 //
 // If 'ca' is given, the remote side will be cryptographically verified to be a
 // node that's part of the cluster represented by the ca. Otherwise, no
 // verification is performed and this function is unsafe.
-func NewEphemeralClient(remote string, private ed25519.PrivateKey, ca *x509.Certificate, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
+func NewEphemeralCredentials(private ed25519.PrivateKey, ca *x509.Certificate) (credentials.TransportCredentials, error) {
 	template := x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		NotBefore:    time.Now(),
@@ -70,13 +71,25 @@
 		Certificate: [][]byte{certificateBytes},
 		PrivateKey:  private,
 	}
-	return NewAuthenticatedClient(remote, certificate, ca, opts...)
+	return NewAuthenticatedCredentials(certificate, ca), nil
 }
 
-func NewEphemeralClientTest(listener *bufconn.Listener, private ed25519.PrivateKey, ca *x509.Certificate) (*grpc.ClientConn, error) {
-	return NewEphemeralClient("local", private, ca, grpc.WithContextDialer(func(_ context.Context, _ string) (net.Conn, error) {
-		return listener.Dial()
-	}))
+// NewAuthenticatedCredentials returns gRPC TransportCredentials that can be
+// used to dial a cluster with a given TLS certificate (from node or manager
+// credentials).
+//
+// If 'ca' is given, the remote side will be cryptographically verified to be a
+// node that's part of the cluster represented by the ca. Otherwise, no
+// verification is performed and this function is unsafe.
+func NewAuthenticatedCredentials(cert tls.Certificate, ca *x509.Certificate) credentials.TransportCredentials {
+	config := &tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		InsecureSkipVerify: true,
+	}
+	if ca != nil {
+		config.VerifyPeerCertificate = verifyClusterCertificate(ca)
+	}
+	return credentials.NewTLS(config)
 }
 
 // RetrieveOwnerCertificates uses AAA.Escrow to retrieve a cluster manager
@@ -113,27 +126,3 @@
 		PrivateKey:  private,
 	}, nil
 }
-
-// NewAuthenticatedClient dials a cluster's services using the given TLS
-// credentials (either user or node credentials).
-//
-// If 'ca' is given, the remote side will be cryptographically verified to be a
-// node that's part of the cluster represented by the ca. Otherwise, no
-// verification is performed and this function is unsafe.
-func NewAuthenticatedClient(remote string, cert tls.Certificate, ca *x509.Certificate, opts ...grpc.DialOption) (*grpc.ClientConn, error) {
-	config := &tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		InsecureSkipVerify: true,
-	}
-	if ca != nil {
-		config.VerifyPeerCertificate = verifyClusterCertificate(ca)
-	}
-	opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(config)))
-	return grpc.Dial(remote, opts...)
-}
-
-func NewAuthenticatedClientTest(listener *bufconn.Listener, cert tls.Certificate, ca *x509.Certificate) (*grpc.ClientConn, error) {
-	return NewAuthenticatedClient("local", cert, ca, grpc.WithContextDialer(func(_ context.Context, _ string) (net.Conn, error) {
-		return listener.Dial()
-	}))
-}
diff --git a/metropolis/node/core/rpc/server_authentication_test.go b/metropolis/node/core/rpc/server_authentication_test.go
index 559d4fa..247479e 100644
--- a/metropolis/node/core/rpc/server_authentication_test.go
+++ b/metropolis/node/core/rpc/server_authentication_test.go
@@ -4,8 +4,10 @@
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
+	"net"
 	"testing"
 
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/grpc/test/bufconn"
@@ -51,10 +53,16 @@
 	defer lis.Close()
 	defer srv.Stop()
 
+	withLocalDialer := grpc.WithContextDialer(func(_ context.Context, _ string) (net.Conn, error) {
+		return lis.Dial()
+	})
+
 	// Authenticate as manager externally, ensure that GetRegisterTicket runs.
-	cl, err := NewAuthenticatedClientTest(lis, eph.Manager, eph.CA)
+	cl, err := grpc.Dial("local",
+		grpc.WithTransportCredentials(NewAuthenticatedCredentials(eph.Manager, eph.CA)),
+		withLocalDialer)
 	if err != nil {
-		t.Fatalf("NewAuthenticatedClient: %v", err)
+		t.Fatalf("Dial: %v", err)
 	}
 	defer cl.Close()
 	mgmt := apb.NewManagementClient(cl)
@@ -65,9 +73,11 @@
 
 	// Authenticate as node externally, ensure that GetRegisterTicket is refused
 	// (this is because nodes miss the GET_REGISTER_TICKET permissions).
-	cl, err = NewAuthenticatedClientTest(lis, eph.Nodes[0].TLSCredentials(), eph.CA)
+	cl, err = grpc.Dial("local",
+		grpc.WithTransportCredentials(NewAuthenticatedCredentials(eph.Nodes[0].TLSCredentials(), eph.CA)),
+		withLocalDialer)
 	if err != nil {
-		t.Fatalf("NewAuthenticatedClient: %v", err)
+		t.Fatalf("Dial: %v", err)
 	}
 	defer cl.Close()
 	mgmt = apb.NewManagementClient(cl)
@@ -91,9 +101,14 @@
 	if err != nil {
 		t.Fatalf("GenerateKey: %v", err)
 	}
-	cl, err = NewEphemeralClientTest(lis, sk, eph.CA)
+
+	ephCreds, err := NewEphemeralCredentials(sk, eph.CA)
 	if err != nil {
-		t.Fatalf("NewEphemeralClient: %v", err)
+		t.Fatalf("NewEphemeralCredentials: %v", err)
+	}
+	cl, err = grpc.Dial("local", grpc.WithTransportCredentials(ephCreds), withLocalDialer)
+	if err != nil {
+		t.Fatalf("Dial: %v", err)
 	}
 	defer cl.Close()
 	mgmt = apb.NewManagementClient(cl)
diff --git a/metropolis/test/launch/cluster/cluster.go b/metropolis/test/launch/cluster/cluster.go
index 8cc0a48..cf9cd07 100644
--- a/metropolis/test/launch/cluster/cluster.go
+++ b/metropolis/test/launch/cluster/cluster.go
@@ -405,10 +405,15 @@
 
 	// Dial external service.
 	remote := fmt.Sprintf("localhost:%v", portMap[node.CuratorServicePort])
-	initClient, err := rpc.NewEphemeralClient(remote, InsecurePrivateKey, nil)
+	initCreds, err := rpc.NewEphemeralCredentials(InsecurePrivateKey, nil)
 	if err != nil {
 		ctxC()
-		return nil, fmt.Errorf("NewInitialClient: %w", err)
+		return nil, fmt.Errorf("NewEphemeralCredentials: %w", err)
+	}
+	initClient, err := grpc.Dial(remote, grpc.WithTransportCredentials(initCreds))
+	if err != nil {
+		ctxC()
+		return nil, fmt.Errorf("dialing with ephemeral credentials failed: %w", err)
 	}
 
 	// Retrieve owner certificate - this can take a while because the node is still
@@ -432,10 +437,11 @@
 	log.Printf("Cluster: retrieved owner certificate.")
 
 	// Build authenticated owner client to new node.
-	authClient, err := rpc.NewAuthenticatedClient(remote, *cert, nil)
+	authCreds := rpc.NewAuthenticatedCredentials(*cert, nil)
+	authClient, err := grpc.Dial(remote, grpc.WithTransportCredentials(authCreds))
 	if err != nil {
 		ctxC()
-		return nil, fmt.Errorf("NewAuthenticatedClient: %w", err)
+		return nil, fmt.Errorf("dialing with owner credentials failed: %w", err)
 	}
 	mgmt := apb.NewManagementClient(authClient)