How to configure multi-level certs in Consul Connect

I’m struggling to figure out how to configure a Consul Connect service mesh and its certs.

The model is that I have:

  • a root cert that is the trust anchor (with a key that is securely stored)

  • an intermediate cert (signed by the root key) and intermediate key that Consul Connect can be issued to sign leaf certs

I would like to configure Consul with both the root cert and intermediate cert, so that it will:

  • offer a cert chain on mTLS interactions that includes both the leaf and intermediate certs

  • perform validation based on the shared root of trust, even if (in principle) the intermediate certs of the two ends of the mTLS exchange differ

Is there any reason why I cannot configure this, or if I can any pointers on how? It does seem that Consul Connect supports intermediate certs, but only in Vault mode or when configuring certificate replacement - and I am confused as to whether this is really correct.

Maybe worth clarifying that most of my endpoints are acting as Native Applications, i.e. using Consul Connect as a store distribution point for certificates, config, and intents; I am configuring mTLS etc. myself in a very specific way using iptables and Envoy.