diff --git a/agent/connect/ca/ca_provider_consul.go b/agent/connect/ca/ca_provider_consul.go
index 7d925a40f..2b119c0a3 100644
--- a/agent/connect/ca/ca_provider_consul.go
+++ b/agent/connect/ca/ca_provider_consul.go
@@ -114,7 +114,7 @@ func NewConsulCAProvider(rawConfig map[string]interface{}, delegate ConsulCAStat
 }
 
 func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderConfig, error) {
-	var config *structs.ConsulCAProviderConfig
+	var config structs.ConsulCAProviderConfig
 	if err := mapstructure.WeakDecode(raw, &config); err != nil {
 		return nil, fmt.Errorf("error decoding config: %s", err)
 	}
@@ -123,7 +123,7 @@ func ParseConsulCAConfig(raw map[string]interface{}) (*structs.ConsulCAProviderC
 		return nil, fmt.Errorf("must provide a private key when providing a root cert")
 	}
 
-	return config, nil
+	return &config, nil
 }
 
 // Return the active root CA and generate a new one if needed
diff --git a/agent/connect_ca_endpoint_test.go b/agent/connect_ca_endpoint_test.go
index a9b355e0d..04abcfa9a 100644
--- a/agent/connect_ca_endpoint_test.go
+++ b/agent/connect_ca_endpoint_test.go
@@ -1,11 +1,14 @@
 package agent
 
 import (
+	"bytes"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/consul/agent/connect"
+	connect_ca "github.com/hashicorp/consul/agent/connect/ca"
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/stretchr/testify/assert"
 )
@@ -42,7 +45,7 @@ func TestConnectCARoots_list(t *testing.T) {
 	req, _ := http.NewRequest("GET", "/v1/connect/ca/roots", nil)
 	resp := httptest.NewRecorder()
 	obj, err := a.srv.ConnectCARoots(resp, req)
-	assert.Nil(err)
+	assert.NoError(err)
 
 	value := obj.(structs.IndexedCARoots)
 	assert.Equal(value.ActiveRootID, ca2.ID)
@@ -54,3 +57,60 @@ func TestConnectCARoots_list(t *testing.T) {
 		assert.Equal("", r.SigningKey)
 	}
 }
+
+func TestConnectCAConfig(t *testing.T) {
+	t.Parallel()
+
+	assert := assert.New(t)
+	a := NewTestAgent(t.Name(), "")
+	defer a.Shutdown()
+
+	expected := &structs.ConsulCAProviderConfig{
+		RotationPeriod: 90 * 24 * time.Hour,
+	}
+
+	// Get the initial config.
+	{
+		req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil)
+		resp := httptest.NewRecorder()
+		obj, err := a.srv.ConnectCAConfiguration(resp, req)
+		assert.NoError(err)
+
+		value := obj.(structs.CAConfiguration)
+		parsed, err := connect_ca.ParseConsulCAConfig(value.Config)
+		assert.NoError(err)
+		assert.Equal("consul", value.Provider)
+		assert.Equal(expected, parsed)
+	}
+
+	// Set the config.
+	{
+		body := bytes.NewBuffer([]byte(`
+		{
+			"Provider": "consul",
+			"Config": {
+				"RotationPeriod": 3600000000000
+			}
+		}`))
+		req, _ := http.NewRequest("PUT", "/v1/connect/ca/configuration", body)
+		resp := httptest.NewRecorder()
+		_, err := a.srv.ConnectCAConfiguration(resp, req)
+		assert.NoError(err)
+	}
+
+	// The config should be updated now.
+	{
+		expected.RotationPeriod = time.Hour
+		req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil)
+		resp := httptest.NewRecorder()
+		obj, err := a.srv.ConnectCAConfiguration(resp, req)
+		assert.NoError(err)
+
+		value := obj.(structs.CAConfiguration)
+		//t.Fatalf("%#v", value)
+		parsed, err := connect_ca.ParseConsulCAConfig(value.Config)
+		assert.NoError(err)
+		assert.Equal("consul", value.Provider)
+		assert.Equal(expected, parsed)
+	}
+}