diff --git a/pkg/cmd/provisioning/aws/create_identity_provider.go b/pkg/cmd/provisioning/aws/create_identity_provider.go
index db61a5371..cc2b29145 100644
--- a/pkg/cmd/provisioning/aws/create_identity_provider.go
+++ b/pkg/cmd/provisioning/aws/create_identity_provider.go
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
+	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -285,14 +287,37 @@ func getTLSFingerprint(bucketURL string) (string, error) {
 		return "", err
 	}
 
-	urlWithPort := fmt.Sprintf("%s:443", u.Host)
+	urlWithPort := fmt.Sprintf("https://%s:443", u.Host)
+	var proxyUrl *url.URL
+	if proxyEnv := os.Getenv("HTTP_PROXY"); proxyEnv != "" {
+		log.Printf("Using HTTP_PROXY=%s", proxyUrl)
+		proxyUrl, err = url.Parse(proxyEnv)
+		if err != nil {
+			log.Print(fmt.Errorf("error setting HTTP_PROXY: %s", err))
+		}
+	}
 
-	conn, err := tls.Dial("tcp", urlWithPort, &tls.Config{})
+	tlsConfig := http.DefaultTransport.(*http.Transport).TLSClientConfig
+	c := &http.Client{
+		Transport: &http.Transport{
+			DialTLS: func(network, addr string) (net.Conn, error) {
+				conn, err := tls.Dial(network, addr, tlsConfig)
+				return conn, err
+			},
+			Proxy: http.ProxyURL(proxyUrl),
+		},
+	}
+	resp, err := c.Get(urlWithPort)
 	if err != nil {
-		return "", err
+		return "", errors.Wrapf(err, "unable to validate URL %s to check existing Identity Provider", urlWithPort)
 	}
-
-	certs := conn.ConnectionState().PeerCertificates
+	if resp.TLS == nil {
+		return "", errors.Wrapf(err, "unable to get TLS connection from URL %s", urlWithPort)
+	}
+	if resp.TLS.PeerCertificates == nil {
+		return "", errors.Wrapf(err, "unable to get TLS PeerCertificates from connection URL %s", urlWithPort)
+	}
+	certs := resp.TLS.PeerCertificates
 	numCerts := len(certs)
 
 	fingerprint := sha1.Sum(certs[numCerts-1].Raw)