Vault config with tls-enabled Consul as a storage backend

I have recently set up Vault’s storage backend with Consul (TLS enabled).

There are three tls settings for the storage “consul” stanza (tls_ca_file, tls_cert_file, tls_key_file). Is it correct to use the Consul connect standard CA file for the CA setting, and then generate a special client cert and key file for vault as a client of consul, using this CA?

The TLS setup is quite involved for consul, so forgive me if I’ve misunderstood something.