TLS Certificate auth method and tls_client_ca_file

Turn on client authentication when connecting to the vault, my configuration file is as follows.The set tls_client_ca_file is webClientCA.

listener "tcp" {
  address = "[::]:8200"
  tls_cert_file = "/certs/webServer.crt"
  tls_key_file  = "/certs/webServer.key"
  tls_disable = false
  tls_require_and_verify_client_cert = true
  tls_client_ca_file = "/certs/webClientCA.pem"

Then I turned on TLS Certificate Auth Method, and Create CA Certificate Role, the specified certificate is certClientCA

curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --cacert webServerCA.pem \
    --request POST \
    --cert client.crt\
    --key client.key\
    --data '{"certificate":" certClientCA contents'' }'\
    https://dev.vault.autox.tech:50036/v1/auth/cert/certs/test

At the beginning, the CA certificate I specified in the listener and role is the same, and then I can log in with the client certificate. Now that the two places are configured differently, which CA should the certificate in curl be issued by? I think it’s webClientCA, but if this is the case, does it mean that the CA configuration of my role must be the same as that of the listener?

curl \
    --request POST \
    --cacert webServerCA.pem \
    --cert client.crt\
    --key client.key\
    --data '{"name": "test"}' \
    https://dev.vault.autox.tech:50036/v1/auth/cert/login

Yes, because the exchange of certificates during the TLS handshake occurs before any details of the HTTP API request are sent.

But, I’m guessing the listener config probably accepts multiple possible client CAs - that’s how TLS software generally works.

Thank you very much for your reply. I think the purpose of choosing a CA certificate when creating a role is to be more flexible.