diff --git a/internal/commands/exec/exec.go b/internal/commands/exec/exec.go
index ff0876e9c..0913e981f 100644
--- a/internal/commands/exec/exec.go
+++ b/internal/commands/exec/exec.go
@@ -170,6 +170,7 @@ func RunExec(config ExecConfig) (ret int) {
 		if err != nil {
 			return 1
 		}
+
 		options.UseTLS = true
 		options.TLS = tlsConfig
 	}
diff --git a/internal/commands/server/server.go b/internal/commands/server/server.go
index 4f4bb713c..53198bd84 100644
--- a/internal/commands/server/server.go
+++ b/internal/commands/server/server.go
@@ -75,20 +75,25 @@ func RunServer(config ServerConfig) int {
 	controller.SetStore(store)
 
 	options := consul.DefaultCertManagerOptions()
+	options.Addresses = []string{strings.Split(config.ConsulConfig.Address, ":")[0]}
+	options.GRPCPort = config.ConsulGRPCPort
 	options.PrimaryDatacenter = config.PrimaryDatacenter
 
-	tlsConfig, err := api.SetupTLSConfig(&config.ConsulConfig.TLSConfig)
-	if err != nil {
-		return 1
+	// If either CertFile or CertPEM are set for Consul API client,
+	// use TLS for CertManager gRPC connections
+	if !(config.ConsulConfig.TLSConfig.CertFile == "" &&
+		len(config.ConsulConfig.TLSConfig.CertPEM) == 0) {
+		tlsConfig, err := api.SetupTLSConfig(&config.ConsulConfig.TLSConfig)
+		if err != nil {
+			return 1
+		}
+
+		options.UseTLS = true
+		options.TLS = tlsConfig
 	}
 
 	certManager := consul.NewCertManager(
 		config.Logger.Named("cert-manager"),
-		consul.Config{
-			Addresses: []string{strings.Split(config.ConsulConfig.Address, ":")[0]},
-			GRPCPort:  config.ConsulGRPCPort,
-			TLS:       tlsConfig,
-		},
 		client,
 		"consul-api-gateway-controller",
 		options,
diff --git a/internal/consul/certmanager_test.go b/internal/consul/certmanager_test.go
index 1f6642130..fedc3dd0c 100644
--- a/internal/consul/certmanager_test.go
+++ b/internal/consul/certmanager_test.go
@@ -57,15 +57,12 @@ func TestManage(t *testing.T) {
 			server := runCertServer(t, service, test.leafFailures, test.rootFailures, test.expirations)
 
 			options := DefaultCertManagerOptions()
+			options.Addresses = []string{server.consulAddress}
+			options.GRPCPort = server.consulGRPCPort
 			options.Directory = directory
 
 			manager := NewCertManager(
 				hclog.Default().Named("certmanager"),
-				Config{
-					Addresses: []string{server.consulAddress},
-					GRPCPort:  server.consulGRPCPort,
-					TLS:       nil,
-				},
 				NewClient(server.consulHTTPClient),
 				service,
 				options,
@@ -128,13 +125,11 @@ func TestManage_Refresh(t *testing.T) {
 	server := runCertServer(t, service, 0, 0, 2)
 
 	options := DefaultCertManagerOptions()
+	options.Addresses = []string{server.consulAddress}
+	options.GRPCPort = server.consulGRPCPort
+
 	manager := NewCertManager(
 		hclog.Default().Named("certmanager"),
-		Config{
-			Addresses: []string{server.consulAddress},
-			GRPCPort:  server.consulGRPCPort,
-			TLS:       nil,
-		},
 		NewClient(server.consulHTTPClient),
 		service,
 		options,
@@ -188,7 +183,6 @@ func TestManage_WaitCancel(t *testing.T) {
 
 	err := NewCertManager(
 		hclog.Default().Named("certmanager"),
-		Config{},
 		nil,
 		"",
 		nil,
@@ -455,7 +449,6 @@ func TestRenderSDS(t *testing.T) {
 	options.Directory = "/certs"
 	manager := NewCertManager(
 		hclog.Default().Named("certmanager"),
-		Config{},
 		nil,
 		gwTesting.RandomString(),
 		options,
diff --git a/internal/testing/e2e/consul.go b/internal/testing/e2e/consul.go
index d172f767c..60dd19254 100644
--- a/internal/testing/e2e/consul.go
+++ b/internal/testing/e2e/consul.go
@@ -89,6 +89,7 @@ func init() {
 
 type consulTestEnvironment struct {
 	ca                               []byte
+	consulUseTLS                     bool
 	consulTLSConfig                  *tls.Config
 	consulClient                     *api.Client
 	token                            string
@@ -219,6 +220,7 @@ func CreateTestConsulContainer(name, namespace string) env.Func {
 
 		env := &consulTestEnvironment{
 			ca:                               rootCA.CertBytes,
+			consulUseTLS:                     true,
 			consulTLSConfig:                  consulTLSConfig,
 			consulClient:                     consulClient,
 			httpPort:                         httpsPort,
@@ -458,6 +460,10 @@ func consulDeployment(namespace string, httpsPort, grpcPort int) *apps.Deploymen
 	}
 }
 
+func ConsulUseTLS(ctx context.Context) bool {
+	return mustGetTestEnvironment(ctx).consulUseTLS
+}
+
 func ConsulTLSConfig(ctx context.Context) *tls.Config {
 	return mustGetTestEnvironment(ctx).consulTLSConfig
 }
diff --git a/internal/testing/e2e/gateway.go b/internal/testing/e2e/gateway.go
index 7b86680ce..488a03c3c 100644
--- a/internal/testing/e2e/gateway.go
+++ b/internal/testing/e2e/gateway.go
@@ -81,14 +81,13 @@ func (p *gatewayTestEnvironment) run(ctx context.Context, namespace string, cfg
 
 	// set up the cert manager
 	certManagerOptions := consul.DefaultCertManagerOptions()
+	certManagerOptions.Addresses = []string{"localhost"}
+	certManagerOptions.GRPCPort = ConsulGRPCPort(ctx)
+	certManagerOptions.UseTLS = ConsulUseTLS(ctx)
+	certManagerOptions.TLS = ConsulTLSConfig(ctx)
 	certManagerOptions.Directory = p.directory
 	certManager := consul.NewCertManager(
 		nullLogger,
-		consul.Config{
-			Addresses: []string{"localhost"},
-			GRPCPort:  ConsulGRPCPort(ctx),
-			TLS:       ConsulTLSConfig(ctx),
-		},
 		client,
 		"consul-api-gateway",
 		certManagerOptions,