I am currently looking into the same issues.
For auto-renewing mTLS certificates in Consul with Vault, you can use consul-template
. An example setup is described in “Generate mTLS Certificates for Consul with Vault”.
Now I’m wondering if it’s possible (or even a good idea at all) to follow a similar approach when setting up Vault itself: How to move Vault into his own intermediate?