How to overcome the chicken and egg problem of consul and vault encryption?

I am currently looking into the same issues.

For auto-renewing mTLS certificates in Consul with Vault, you can use consul-template. An example setup is described in “Generate mTLS Certificates for Consul with Vault”.

Now I’m wondering if it’s possible (or even a good idea at all) to follow a similar approach when setting up Vault itself: How to move Vault into his own intermediate?