diff --git a/agent/agent.go b/agent/agent.go
index ffddfdb4f5..e7f3335a48 100644
--- a/agent/agent.go
+++ b/agent/agent.go
@@ -1200,10 +1200,6 @@ func newConsulConfig(runtimeCfg *config.RuntimeConfig, logger hclog.Logger) (*co
 
 	cfg.TLSConfig = runtimeCfg.ToTLSUtilConfig()
 
-	// Copy the TLS configuration
-	if runtimeCfg.CAPath != "" || runtimeCfg.CAFile != "" {
-		cfg.UseTLS = true
-	}
 	cfg.DefaultQueryTime = runtimeCfg.DefaultQueryTime
 	cfg.MaxQueryTime = runtimeCfg.MaxQueryTime
 
diff --git a/agent/consul/config.go b/agent/consul/config.go
index e19bf6a490..81541bbeaa 100644
--- a/agent/consul/config.go
+++ b/agent/consul/config.go
@@ -160,10 +160,6 @@ type Config struct {
 
 	TLSConfig tlsutil.Config
 
-	// UseTLS is used to enable TLS for outgoing connections to other TLS-capable Consul
-	// servers. This doesn't imply any verification, it only enables TLS if possible.
-	UseTLS bool
-
 	// RejoinAfterLeave controls our interaction with Serf.
 	// When set to false (default), a leave causes a Consul to not rejoin
 	// the cluster until an explicit join is received. If this is set to
diff --git a/agent/consul/rpc_test.go b/agent/consul/rpc_test.go
index a9853cae3e..25ac960768 100644
--- a/agent/consul/rpc_test.go
+++ b/agent/consul/rpc_test.go
@@ -442,7 +442,6 @@ func TestRPC_TLSHandshakeTimeout(t *testing.T) {
 
 	dir1, s1 := testServerWithConfig(t, func(c *Config) {
 		c.RPCHandshakeTimeout = 10 * time.Millisecond
-		c.UseTLS = true
 		c.TLSConfig.CAFile = "../../test/hostname/CertAuth.crt"
 		c.TLSConfig.CertFile = "../../test/hostname/Alice.crt"
 		c.TLSConfig.KeyFile = "../../test/hostname/Alice.key"
@@ -539,7 +538,6 @@ func TestRPC_PreventsTLSNesting(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			dir1, s1 := testServerWithConfig(t, func(c *Config) {
-				c.UseTLS = true
 				c.TLSConfig.CAFile = "../../test/hostname/CertAuth.crt"
 				c.TLSConfig.CertFile = "../../test/hostname/Alice.crt"
 				c.TLSConfig.KeyFile = "../../test/hostname/Alice.key"
@@ -695,7 +693,6 @@ func TestRPC_RPCMaxConnsPerClient(t *testing.T) {
 			dir1, s1 := testServerWithConfig(t, func(c *Config) {
 				c.RPCMaxConnsPerClient = 2
 				if tc.tlsEnabled {
-					c.UseTLS = true
 					c.TLSConfig.CAFile = "../../test/hostname/CertAuth.crt"
 					c.TLSConfig.CertFile = "../../test/hostname/Alice.crt"
 					c.TLSConfig.KeyFile = "../../test/hostname/Alice.key"
diff --git a/agent/consul/server.go b/agent/consul/server.go
index f32afed1e4..62136b4788 100644
--- a/agent/consul/server.go
+++ b/agent/consul/server.go
@@ -327,11 +327,6 @@ func NewServer(config *Config, flat Deps) (*Server, error) {
 		return nil, err
 	}
 
-	// TODO: this is duplicated in newConsulConfig, do it in only on place
-	if config.TLSConfig.CAFile != "" || config.TLSConfig.CAPath != "" {
-		config.UseTLS = true
-	}
-
 	// Set the primary DC if it wasn't set.
 	if config.PrimaryDatacenter == "" {
 		if config.ACLDatacenter != "" {
diff --git a/agent/consul/server_serf.go b/agent/consul/server_serf.go
index b0847eaa49..f26c843028 100644
--- a/agent/consul/server_serf.go
+++ b/agent/consul/server_serf.go
@@ -68,7 +68,7 @@ func (s *Server) setupSerf(conf *serf.Config, ch chan serf.Event, path string, w
 		conf.Tags["nonvoter"] = "1"
 		conf.Tags["read_replica"] = "1"
 	}
-	if s.config.UseTLS {
+	if s.config.TLSConfig.CAPath != "" || s.config.TLSConfig.CAFile != "" {
 		conf.Tags["use_tls"] = "1"
 	}