Restrict 2-way TLS connection to a specific client cert

Hi all,

To lock-down our environment I would like to make the connection between a 3rd party load balancer (F5) and Vault node to be 2-way TLS. A further restriction I would like t is to restrict the client-side certificate to a specific certificate.

On RHEL 8 vault.hcl I have the following listener stanza:
listener “tcp” {
address = “myfqdn.domain:8200”
tls_cert_file = “/etc/pki/tls/certs/mycert_for_myfqdn.domain.pem”
tls_key_file = “/etc/pki/tls/private/clearkey_for_mycert_myfqdn.domain.pem”
tls_require_and_verify_client_cert = true
tls_client_ca_file = “/etc/pki/tls/certs/rootCA.pem”

The problem with this setup is that any client cert is accepted that matches the CA in the included file or the CAs on the box. This does not provide adequate protection as any consumer can generate a certificate and hit the Vault endpoint.

Any ideas how to enforce 2-way TLS to a specific client certificate?