diff --git a/http/handler.go b/http/handler.go
index e6ec8b9735..176d971c01 100644
--- a/http/handler.go
+++ b/http/handler.go
@@ -40,11 +40,11 @@ func Handler(core *vault.Core) http.Handler {
 	mux.Handle("/v1/sys/audit/", handleSysAudit(core))
 	mux.Handle("/v1/sys/leader", handleSysLeader(core))
 	mux.Handle("/v1/sys/health", handleSysHealth(core))
-	mux.Handle("/v1/sys/rotate", handleSysRotate(core))
-	mux.Handle("/v1/sys/key-status", handleSysKeyStatus(core))
+	mux.Handle("/v1/sys/rotate", proxySysRequest(core))
+	mux.Handle("/v1/sys/key-status", proxySysRequest(core))
 	mux.Handle("/v1/sys/rekey/init", handleSysRekeyInit(core))
 	mux.Handle("/v1/sys/rekey/update", handleSysRekeyUpdate(core))
-	mux.Handle("/v1/", handleLogical(core))
+	mux.Handle("/v1/", handleLogical(core, false))
 
 	// Wrap the handler in another handler to trigger all help paths.
 	handler := handleHelpHandler(mux, core)
@@ -214,6 +214,10 @@ func respondOk(w http.ResponseWriter, body interface{}) {
 	}
 }
 
+func proxySysRequest(core *vault.Core) http.Handler {
+	return handleLogical(core, true)
+}
+
 type ErrorResponse struct {
 	Errors []string `json:"errors"`
 }
diff --git a/http/logical.go b/http/logical.go
index 0f0b74b960..7b1ba69290 100644
--- a/http/logical.go
+++ b/http/logical.go
@@ -11,7 +11,7 @@ import (
 	"github.com/hashicorp/vault/vault"
 )
 
-func handleLogical(core *vault.Core) http.Handler {
+func handleLogical(core *vault.Core, dataOnly bool) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Determine the path...
 		if !strings.HasPrefix(r.URL.Path, "/v1/") {
@@ -72,17 +72,22 @@ func handleLogical(core *vault.Core) http.Handler {
 		}
 
 		// Build the proper response
-		respondLogical(w, r, path, resp)
+		respondLogical(w, r, path, dataOnly, resp)
 	})
 }
 
-func respondLogical(w http.ResponseWriter, r *http.Request, path string, resp *logical.Response) {
+func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnly bool, resp *logical.Response) {
 	var httpResp interface{}
 	if resp != nil {
 		if resp.Redirect != "" {
-			// If we have a redirect, redirect! We use a 302 code
+			// If we have a redirect, redirect! We use a 307 code
 			// because we don't actually know if its permanent.
-			http.Redirect(w, r, resp.Redirect, 302)
+			http.Redirect(w, r, resp.Redirect, 307)
+			return
+		}
+
+		if dataOnly {
+			respondOk(w, resp.Data)
 			return
 		}
 
diff --git a/http/sys_lease.go b/http/sys_lease.go
index ce36118d3e..35c4cb54ad 100644
--- a/http/sys_lease.go
+++ b/http/sys_lease.go
@@ -49,7 +49,7 @@ func handleSysRenew(core *vault.Core) http.Handler {
 			return
 		}
 
-		respondLogical(w, r, path, resp)
+		respondLogical(w, r, path, false, resp)
 	})
 }
 
diff --git a/http/sys_rotate.go b/http/sys_rotate.go
deleted file mode 100644
index ea968adcd1..0000000000
--- a/http/sys_rotate.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package http
-
-import (
-	"net/http"
-
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/vault"
-)
-
-func handleSysKeyStatus(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "GET" {
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
-
-		resp, err := core.HandleRequest(requestAuth(r, &logical.Request{
-			Operation:  logical.ReadOperation,
-			Path:       "sys/key-status",
-			Connection: getConnection(r),
-		}))
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-		respondOk(w, resp.Data)
-	})
-}
-
-func handleSysRotate(core *vault.Core) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.Method {
-		case "POST":
-		case "PUT":
-		default:
-			respondError(w, http.StatusMethodNotAllowed, nil)
-			return
-		}
-
-		_, err := core.HandleRequest(requestAuth(r, &logical.Request{
-			Operation:  logical.WriteOperation,
-			Path:       "sys/rotate",
-			Connection: getConnection(r),
-		}))
-		if err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
-		}
-		respondOk(w, nil)
-	})
-}
diff --git a/http/sys_rotate_test.go b/http/sys_rotate_test.go
index aa538e04b9..d47a170e48 100644
--- a/http/sys_rotate_test.go
+++ b/http/sys_rotate_test.go
@@ -30,6 +30,6 @@ func TestSysRotate(t *testing.T) {
 	testResponseBody(t, resp, &actual)
 	delete(actual, "install_time")
 	if !reflect.DeepEqual(actual, expected) {
-		t.Fatalf("bad: %#v", actual)
+		t.Fatalf("bad:\nexpected: %#v\nactual: %#v", expected, actual)
 	}
 }
diff --git a/vault/logical_system.go b/vault/logical_system.go
index a428f10598..a73e354c07 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -770,7 +770,7 @@ func (b *SystemBackend) handleRotate(
 	}
 	b.Backend.Logger().Printf("[INFO] sys: installed new encryption key")
 
-	// In non-HA mode, we need to an upgrade path for the standby instances
+	// In HA mode, we need to an upgrade path for the standby instances
 	if b.Core.ha != nil {
 		// Create the upgrade path to the new term
 		if err := b.Core.barrier.CreateUpgrade(newTerm); err != nil {