diff --git a/tlsutil/config.go b/tlsutil/config.go
index d9b20e2ab1..8d66cf9750 100644
--- a/tlsutil/config.go
+++ b/tlsutil/config.go
@@ -163,6 +163,8 @@ func (a autoTLS) caPems() []string {
 	return append(a.manualCAPems, a.connectCAPems...)
 }
 
+// manual stores the TLS CA and cert received from Configurator.Update which
+// generally comes from the agent configuration.
 type manual struct {
 	caPems []string
 	cert   *tls.Certificate
@@ -177,7 +179,7 @@ type Configurator struct {
 	lock    sync.RWMutex
 	base    *Config
 	autoTLS autoTLS
-	manual  *manual
+	manual  manual
 	caPool  *x509.CertPool
 	// peerDatacenterUseTLS is a map of DC name to a bool indicating if the DC
 	// uses TLS for RPC requests.
@@ -202,7 +204,6 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
 
 	c := &Configurator{
 		logger:               logger.Named(logging.TLSUtil),
-		manual:               &manual{},
 		peerDatacenterUseTLS: map[string]bool{},
 	}
 	err := c.Update(config)
diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go
index e681036dba..0811c00ac8 100644
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@@ -506,7 +506,7 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
 		variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
 	}
 
-	c := Configurator{manual: &manual{}}
+	c := Configurator{}
 	for i, v := range variants {
 		info := fmt.Sprintf("case %d, config: %+v", i, v.config)
 		_, err1 := NewConfigurator(v.config, nil)