diff --git a/agent/connect_ca_endpoint.go b/agent/connect_ca_endpoint.go
index 82d1233699..336567cf37 100644
--- a/agent/connect_ca_endpoint.go
+++ b/agent/connect_ca_endpoint.go
@@ -88,6 +88,10 @@ func fixupConfig(conf *structs.CAConfiguration) {
 				if k == "PrivateKey" && strVal != "" {
 					conf.Config["PrivateKey"] = "hidden"
 				}
+				// todo(kyhavlov): add this back in when it's actually used
+				if k == "RotationPeriod" {
+					delete(conf.Config, k)
+				}
 			case structs.VaultCAProvider:
 				if k == "Token" && strVal != "" {
 					conf.Config["Token"] = "hidden"
diff --git a/agent/connect_ca_endpoint_test.go b/agent/connect_ca_endpoint_test.go
index afaa5f049b..a14118d010 100644
--- a/agent/connect_ca_endpoint_test.go
+++ b/agent/connect_ca_endpoint_test.go
@@ -2,10 +2,11 @@ package agent
 
 import (
 	"bytes"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"strings"
 	"testing"
-	"time"
 
 	"github.com/hashicorp/consul/agent/connect"
 	ca "github.com/hashicorp/consul/agent/connect/ca"
@@ -65,9 +66,8 @@ func TestConnectCAConfig(t *testing.T) {
 	a := NewTestAgent(t.Name(), "")
 	defer a.Shutdown()
 
-	expected := &structs.ConsulCAProviderConfig{
-		RotationPeriod: 90 * 24 * time.Hour,
-	}
+	root := connect.TestCA(t, nil)
+	expected := &structs.ConsulCAProviderConfig{}
 
 	// Get the initial config.
 	{
@@ -85,13 +85,17 @@ func TestConnectCAConfig(t *testing.T) {
 
 	// Set the config.
 	{
-		body := bytes.NewBuffer([]byte(`
-		{
-			"Provider": "consul",
-			"Config": {
-				"RotationPeriod": 3600000000000
-			}
-		}`))
+		conf := fmt.Sprintf(`
+			{
+				"Provider": "consul",
+				"Config": {
+					"PrivateKey": "%s",
+					"RootCert": "%s"
+				}
+			}`,
+			strings.Replace(root.SigningKey, "\n", "\\n", -1),
+			strings.Replace(root.RootCert, "\n", "\\n", -1))
+		body := bytes.NewBuffer([]byte(conf))
 		req, _ := http.NewRequest("PUT", "/v1/connect/ca/configuration", body)
 		resp := httptest.NewRecorder()
 		_, err := a.srv.ConnectCAConfiguration(resp, req)
@@ -100,7 +104,8 @@ func TestConnectCAConfig(t *testing.T) {
 
 	// The config should be updated now.
 	{
-		expected.RotationPeriod = time.Hour
+		expected.PrivateKey = "hidden"
+		expected.RootCert = root.RootCert
 		req, _ := http.NewRequest("GET", "/v1/connect/ca/configuration", nil)
 		resp := httptest.NewRecorder()
 		obj, err := a.srv.ConnectCAConfiguration(resp, req)
diff --git a/api/connect_ca_test.go b/api/connect_ca_test.go
index 77d047e953..ec5d5a0f32 100644
--- a/api/connect_ca_test.go
+++ b/api/connect_ca_test.go
@@ -1,10 +1,8 @@
 package api
 
 import (
+	"strings"
 	"testing"
-	"time"
-
-	"github.com/pascaldekloe/goe/verify"
 
 	"github.com/hashicorp/consul/testutil"
 	"github.com/hashicorp/consul/testutil/retry"
@@ -61,10 +59,6 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) {
 	c, s := makeClient(t)
 	defer s.Stop()
 
-	expected := &ConsulCAProviderConfig{
-		RotationPeriod: 90 * 24 * time.Hour,
-	}
-
 	// This fails occasionally if server doesn't have time to bootstrap CA so
 	// retry
 	retry.Run(t, func(r *retry.R) {
@@ -75,21 +69,15 @@ func TestAPI_ConnectCAConfig_get_set(t *testing.T) {
 		if conf.Provider != "consul" {
 			r.Fatalf("expected default provider, got %q", conf.Provider)
 		}
-		parsed, err := ParseConsulCAConfig(conf.Config)
+		_, err = ParseConsulCAConfig(conf.Config)
 		r.Check(err)
-		verify.Values(r, "", parsed, expected)
 
 		// Change a config value and update
-		conf.Config["PrivateKey"] = ""
-		conf.Config["RotationPeriod"] = 120 * 24 * time.Hour
+		conf.Config["PrivateKey"] = "invalid"
 		_, err = connect.CASetConfig(conf, nil)
-		r.Check(err)
-
-		updated, _, err := connect.CAGetConfig(nil)
-		r.Check(err)
-		expected.RotationPeriod = 120 * 24 * time.Hour
-		parsed, err = ParseConsulCAConfig(updated.Config)
-		r.Check(err)
-		verify.Values(r, "", parsed, expected)
+		if err == nil || !strings.Contains(err.Error(),
+			"error parsing private key \"invalid\": no PEM-encoded data found") {
+			r.Fatal(err)
+		}
 	})
 }
diff --git a/website/source/api/connect/ca.html.md b/website/source/api/connect/ca.html.md
index 522dd09274..00fdda13cf 100644
--- a/website/source/api/connect/ca.html.md
+++ b/website/source/api/connect/ca.html.md
@@ -135,7 +135,6 @@ providers, see [Provider Config](/docs/connect/ca.html).
     "Config": {
         "PrivateKey": "-----BEGIN RSA PRIVATE KEY-----...",
         "RootCert": "-----BEGIN CERTIFICATE-----...",
-        "RotationPeriod": "720h"
     }
 }
 ```
diff --git a/website/source/docs/agent/options.html.md b/website/source/docs/agent/options.html.md
index cd16f90f37..e5fdc1e8c8 100644
--- a/website/source/docs/agent/options.html.md
+++ b/website/source/docs/agent/options.html.md
@@ -698,11 +698,6 @@ Consul will not enable TLS for the HTTP API unless the `https` port has been ass
         * <a name="consul_ca_root_cert"></a><a href="#consul_ca_root_cert">`root_cert`</a> The
         PEM contents of the root certificate to use for the CA.
 
-        * <a name="consul_ca_rotation_period"></a><a href="#consul_ca_rotation_period">`rotation_period`</a> The
-        frequency with which to re-generate and rotate the private key and root certificate, in the form of a
-        duration value such as `720h`. Only applies in the case where the private key or root certificate are
-        left blank. Defaults to `2160h` (90 days).
-
         #### Vault CA Provider (`ca_provider = "vault"`)
 
         * <a name="vault_ca_address"></a><a href="#vault_ca_address">`address`</a> The address of the Vault 
diff --git a/website/source/docs/commands/connect/ca.html.md.erb b/website/source/docs/commands/connect/ca.html.md.erb
index 6f77b478cb..e279d74fda 100644
--- a/website/source/docs/commands/connect/ca.html.md.erb
+++ b/website/source/docs/commands/connect/ca.html.md.erb
@@ -55,11 +55,7 @@ The output looks like this:
 ```
 {
 	"Provider": "consul",
-	"Config": {
-		"PrivateKey": null,
-		"RootCert": null,
-		"RotationPeriod": "2160h"
-	},
+	"Config": {},
 	"CreateIndex": 5,
 	"ModifyIndex": 197
 }