diff --git a/http/sys_raft.go b/http/sys_raft.go
index ad675f55c..1dc4a1b46 100644
--- a/http/sys_raft.go
+++ b/http/sys_raft.go
@@ -2,6 +2,7 @@ package http
 
 import (
 	"context"
+	"crypto/tls"
 	"io"
 	"net/http"
 
@@ -28,10 +29,14 @@ func handleSysRaftJoinPost(core *vault.Core, w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	tlsConfig, err := tlsutil.ClientTLSConfig([]byte(req.LeaderCACert), []byte(req.LeaderClientCert), []byte(req.LeaderClientKey))
-	if err != nil {
-		respondError(w, http.StatusBadRequest, err)
-		return
+	var tlsConfig *tls.Config
+	var err error
+	if len(req.LeaderCACert) != 0 || len(req.LeaderClientCert) != 0 || len(req.LeaderClientKey) != 0 {
+		tlsConfig, err = tlsutil.ClientTLSConfig([]byte(req.LeaderCACert), []byte(req.LeaderClientCert), []byte(req.LeaderClientKey))
+		if err != nil {
+			respondError(w, http.StatusBadRequest, err)
+			return
+		}
 	}
 
 	joined, err := core.JoinRaftCluster(context.Background(), req.LeaderAPIAddr, tlsConfig, req.Retry)