diff --git a/api/api.go b/api/api.go
index 7a99ea3a..dbd810e1 100644
--- a/api/api.go
+++ b/api/api.go
@@ -17,6 +17,9 @@
 package api
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
@@ -27,7 +30,6 @@ import (
 
 	"github.com/coreos/clair/config"
 	"github.com/coreos/clair/utils"
-	httputils "github.com/coreos/clair/utils/http"
 )
 
 var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")
@@ -44,7 +46,7 @@ func Run(config *config.APIConfig, st *utils.Stopper) {
 	}
 	log.Infof("starting main API on port %d.", config.Port)
 
-	tlsConfig, err := httputils.LoadTLSClientConfigForServer(config.CAFile)
+	tlsConfig, err := tlsClientConfig(config.CAFile)
 	if err != nil {
 		log.Fatalf("could not initialize client cert authentification: %s\n", err)
 	}
@@ -110,3 +112,30 @@ func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile
 		log.Fatal(err)
 	}
 }
+
+// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
+// *tls.Config is meant to be used to configure an HTTP server to do client
+// certificate authentication.
+//
+// If no CA is given, a nil *tls.Config is returned; no client certificate will
+// be required and verified. In other words, authentification will be disabled.
+func tlsClientConfig(caPath string) (*tls.Config, error) {
+	if caPath == "" {
+		return nil, nil
+	}
+
+	caCert, err := ioutil.ReadFile(caPath)
+	if err != nil {
+		return nil, err
+	}
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tlsConfig := &tls.Config{
+		ClientCAs:  caCertPool,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+	}
+
+	return tlsConfig, nil
+}
diff --git a/utils/http/http.go b/utils/http/http.go
index b06c94ac..360c7ad8 100644
--- a/utils/http/http.go
+++ b/utils/http/http.go
@@ -16,11 +16,8 @@
 package http
 
 import (
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"net/http"
 
 	"github.com/coreos/clair/database"
@@ -31,31 +28,6 @@ import (
 // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
 const MaxBodySize int64 = 1048576
 
-// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
-// configure http server to do client certificate authentification.
-//
-// If no CA is given, a nil *tls.Config is returned: no client certificate will be required and
-// verified. In other words, authentification will be disabled.
-func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) {
-	if len(caFile) == 0 {
-		return nil, nil
-	}
-
-	caCert, err := ioutil.ReadFile(caFile)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-
-	tlsConfig := &tls.Config{
-		ClientCAs:  caCertPool,
-		ClientAuth: tls.RequireAndVerifyClientCert,
-	}
-
-	return tlsConfig, nil
-}
-
 // WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as
 // a HTTP status code.
 func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) {