diff --git a/agent/connect_ca_endpoint.go b/agent/connect_ca_endpoint.go
index e3efde1a5..82d123369 100644
--- a/agent/connect_ca_endpoint.go
+++ b/agent/connect_ca_endpoint.go
@@ -81,14 +81,15 @@ func (s *HTTPServer) ConnectCAConfigurationSet(resp http.ResponseWriter, req *ht
 func fixupConfig(conf *structs.CAConfiguration) {
 	for k, v := range conf.Config {
 		if raw, ok := v.([]uint8); ok {
-			conf.Config[k] = ca.Uint8ToString(raw)
+			strVal := ca.Uint8ToString(raw)
+			conf.Config[k] = strVal
 			switch conf.Provider {
 			case structs.ConsulCAProvider:
-				if k == "PrivateKey" && ca.Uint8ToString(raw) != "" {
+				if k == "PrivateKey" && strVal != "" {
 					conf.Config["PrivateKey"] = "hidden"
 				}
 			case structs.VaultCAProvider:
-				if k == "Token" && ca.Uint8ToString(raw) != "" {
+				if k == "Token" && strVal != "" {
 					conf.Config["Token"] = "hidden"
 				}
 			}
diff --git a/agent/consul/config.go b/agent/consul/config.go
index 66f7c65f0..29a524531 100644
--- a/agent/consul/config.go
+++ b/agent/consul/config.go
@@ -436,8 +436,6 @@ func DefaultConfig() *Config {
 		CAConfig: &structs.CAConfiguration{
 			Provider: "consul",
 			Config: map[string]interface{}{
-				"PrivateKey":     "",
-				"RootCert":       "",
 				"RotationPeriod": "2160h",
 			},
 		},
diff --git a/website/source/docs/connect/ca.html.md b/website/source/docs/connect/ca.html.md
index 544263ca8..72d334f23 100644
--- a/website/source/docs/connect/ca.html.md
+++ b/website/source/docs/connect/ca.html.md
@@ -67,8 +67,6 @@ $ curl localhost:8500/v1/connect/ca/configuration
 {
     "Provider": "consul",
     "Config": {
-        "PrivateKey": null,
-        "RootCert": null,
         "RotationPeriod": "2160h"
     },
     "CreateIndex": 5,
@@ -77,8 +75,8 @@ $ curl localhost:8500/v1/connect/ca/configuration
 ```
 
 This is the default Connect CA configuration if nothing is explicitly set when
-Connect is enabled - the PrivateKey and RootCert fields are both empty, and have been
-generated (as seen above).
+Connect is enabled - the PrivateKey and RootCert fields have not been set, so those have
+been generated (as seen above in the roots list).
 
 There are two ways to have the Consul CA use a custom private key and root certificate:
 either through the `ca_config` section of the [Agent configuration]