diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
index 963d519ca18..cfa5663ce0d 100644
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
@@ -289,7 +289,7 @@ func ValidateEtcd(e *kubeadm.Etcd, fldPath *field.Path) field.ErrorList {
 		if (e.External.CertFile == "" && e.External.KeyFile != "") || (e.External.CertFile != "" && e.External.KeyFile == "") {
 			allErrs = append(allErrs, field.Invalid(externalPath, "", "either both or none of .Etcd.External.CertFile and .Etcd.External.KeyFile must be set"))
 		}
-		// If the cert and key are specified, require the VA as well
+		// If the cert and key are specified, require the CA as well
 		if e.External.CertFile != "" && e.External.KeyFile != "" && e.External.CAFile == "" {
 			allErrs = append(allErrs, field.Invalid(externalPath, "", "setting .Etcd.External.CertFile and .Etcd.External.KeyFile requires .Etcd.External.CAFile"))
 		}
diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
index e129d839818..05e7ec42a98 100644
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
@@ -961,3 +961,82 @@ func TestValidateURLs(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateEtcd(t *testing.T) {
+	var tests = []struct {
+		name           string
+		etcd           *kubeadm.Etcd
+		expectedErrors bool
+	}{
+		{
+			name:           "either .Etcd.Local or .Etcd.External is required",
+			etcd:           &kubeadm.Etcd{},
+			expectedErrors: true,
+		},
+		{
+			name: ".Etcd.Local and .Etcd.External are mutually exclusive",
+			etcd: &kubeadm.Etcd{
+				Local: &kubeadm.LocalEtcd{
+					DataDir: "/some/path",
+				},
+				External: &kubeadm.ExternalEtcd{
+					Endpoints: []string{"10.100.0.1:2379", "10.100.0.2:2379"},
+				},
+			},
+			expectedErrors: true,
+		},
+		{
+			name: "either both or none of .Etcd.External.CertFile and .Etcd.External.KeyFile must be set",
+			etcd: &kubeadm.Etcd{
+				External: &kubeadm.ExternalEtcd{
+					Endpoints: []string{"https://external.etcd1:2379", "https://external.etcd2:2379"},
+					CertFile:  "/some/file.crt",
+				},
+			},
+			expectedErrors: true,
+		},
+		{
+			name: "setting .Etcd.External.CertFile and .Etcd.External.KeyFile requires .Etcd.External.CAFile",
+			etcd: &kubeadm.Etcd{
+				External: &kubeadm.ExternalEtcd{
+					Endpoints: []string{"https://external.etcd1:2379", "https://external.etcd2:2379"},
+					CertFile:  "/some/file.crt",
+					KeyFile:   "/some/file.key",
+				},
+			},
+			expectedErrors: true,
+		},
+		{
+			name: "valid external etcd",
+			etcd: &kubeadm.Etcd{
+				External: &kubeadm.ExternalEtcd{
+					Endpoints: []string{"https://external.etcd1:2379", "https://external.etcd2:2379"},
+					CertFile:  "/etcd.crt",
+					KeyFile:   "/etcd.key",
+					CAFile:    "/etcd-ca.crt",
+				},
+			},
+			expectedErrors: false,
+		},
+		{
+			name: "valid external etcd (no TLS)",
+			etcd: &kubeadm.Etcd{
+				External: &kubeadm.ExternalEtcd{
+					Endpoints: []string{"http://10.100.0.1:2379", "http://10.100.0.2:2379"},
+				},
+			},
+			expectedErrors: false,
+		},
+	}
+
+	for _, tc := range tests {
+		actual := ValidateEtcd(tc.etcd, field.NewPath("etcd"))
+		actualErrors := len(actual) > 0
+		if actualErrors != tc.expectedErrors {
+			t.Errorf("Error: \n\texpected: %t\n\t  actual: %t",
+				tc.expectedErrors,
+				actualErrors,
+			)
+		}
+	}
+}