Why K8S consul vault integration creates so many certificates?

Installing consul in Kubernetes with the follow configurations:

global:
  name: consul
  datacenter: vinhedo
  domain: consul
  logJSON: true
  tls:
    enabled: true
    caCert:
      secretName: pki_consul/cert/ca
    enableAutoEncrypt: true
    serverAdditionalDNSSANs:
      - consul.vinhedo.kugelbit.work
    httpsOnly: true
  gossipEncryption:
    autoGenerate: false
    secretName: consul-kv/data/secrets/gossip
    secretKey: key
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulCARole: consul-ca
      consulClientRole: consul-client
      connectInjectRole: consul-connect-injector
      manageSystemACLsRole: consul-server-acl-init
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: consul-kv/data/secrets/acl/bootstrap-token
      secretKey: token
  nodeSelector: |
    kubernetes.io/arch: amd64

dns:
  enabled: true
  enableRedirection: true
  clusterIP: 10.96.254.3
  annotations: |
    external-dns.alpha.kubernetes.io/internal-hostname: consul-dns.vinhedo.kugelbit.work
connectInject:
  enabled: false
  default: false
  apiGateway:
    manageExternalCRDs: true
    managedGatewayClass:
      serviceType: LoadBalancer
      copyAnnotations:
        service:
          annotations: |
            - oci.oraclecloud.com/load-balancer-type
            - oci-network-load-balancer.oraclecloud.com/security-list-management-mode
            - oci-network-load-balancer.oraclecloud.com/is-preserve-source
  namespaceSelector: |
    matchLabels:
      connect-inject: enabled
  cni:
    enabled: false
    logLevel: info
    cniBinDir: "/opt/cni/bin"
    cniNetDir: "/etc/cni/net.d"
syncCatalog:
  # This method will automatically synchronize Kubernetes services to Consul:
  # (No sidecar is injected by this method):
  enabled: false
  # But only synchronize the Services that have the explicit annotation:
  #        consul.hashicorp.com/service-sync: "true"
  default: false
  # Synchronize from Kubernetes to Consul:
  toConsul: true
  # But not from Consul to K8s:
  toK8S: false
server:
  replicas: 3
  connect: false
  bootstrapExpect: 3
  storage: 30Gi
  storageClass: local-path
  serverCert:
    secretName: pki_consul/issue/consul-server
  nodeSelector: |
    kubernetes.io/arch: amd64

client:
  enabled: false
  grpc: true

It creates 6 certificates in vault, all of then with same information. Thats Ok, I was expecting just 3 but fine. Now enable the consul mesh:

global:
  name: consul
  datacenter: vinhedo
  domain: consul
  logJSON: true
  tls:
    enabled: true
    caCert:
      secretName: pki/cert/ca
    enableAutoEncrypt: true
    serverAdditionalDNSSANs:
      - consul.vinhedo.kugelbit.work
    httpsOnly: true
  gossipEncryption:
    autoGenerate: false
    secretName: consul-kv/data/secrets/gossip
    secretKey: key
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulCARole: consul-ca
      consulClientRole: consul-client
      connectInjectRole: consul-connect-injector
      manageSystemACLsRole: consul-server-acl-init
      adminPartitionsRole: consul-server-acl-init
      ca:
        secretName: vault-ca-tls
        secretKey: vault.ca
      connectCA:
        address: https://vault.vinhedo.kugelbit.work
        rootPKIPath: pki
        intermediatePKIPath: pki_consul
        additionalConfig: |
          {
            "connect": [{
              "ca_config": [{
                   "namespace": "hashicorp",
                   "leaf_cert_ttl": "72h",
                   "rotation_period": "2160h",
                   "intermediate_cert_ttl": "8760h",
                   "private_key_type": "rsa",
                   "private_key_bits": 2048
                }]
            }]
          }
      connectInject:
        caCert:
          secretName: pki_consul/cert/ca
        tlsCert:
          secretName: pki_consul/issue/connect-inject-role
  acls:
    manageSystemACLs: true
    bootstrapToken:
      secretName: consul-kv/data/secrets/acl/bootstrap-token
      secretKey: token
  nodeSelector: |
    kubernetes.io/arch: amd64

dns:
  enabled: true
  enableRedirection: true
connectInject:
  enabled: false
  default: true
  apiGateway:
    manageExternalCRDs: true
    managedGatewayClass:
      serviceType: LoadBalancer
      copyAnnotations:
        service:
          annotations: |
            - oci.oraclecloud.com/load-balancer-type
            - oci-network-load-balancer.oraclecloud.com/security-list-management-mode
            - oci-network-load-balancer.oraclecloud.com/is-preserve-source
  namespaceSelector: |
    matchLabels:
      connect-inject: enabled
  cni:
    enabled: false
    logLevel: info
    cniBinDir: "/opt/cni/bin"
    cniNetDir: "/etc/cni/net.d"
syncCatalog:
  # This method will automatically synchronize Kubernetes services to Consul:
  # (No sidecar is injected by this method):
  enabled: true
  # But only synchronize the Services that have the explicit annotation:
  #        consul.hashicorp.com/service-sync: "true"
  default: false
  # Synchronize from Kubernetes to Consul:
  toConsul: true
  # But not from Consul to K8s:
  toK8S: false
server:
  replicas: 3
  bootstrapExpect: 3
  storage: 30Gi
  storageClass: local-path
  serverCert:
    secretName: pki_consul/issue/consul-server
  extraEnvironmentVars:
    VAULT_CACERT: /consul/vault-ca/tls.crt
  extraVolumes:
    - type: "secret"
      name: vault-ca-tls
      load: "false"
  nodeSelector: |
    kubernetes.io/arch: amd64
client:
  enabled: true
  grpc: true
  extraEnvironmentVars:
    VAULT_CACERT: /vault/custom/vault.ca

Now, last time I checked, I have more than 200 pages of certificates in the pki_consul vault UI, which is a lot!
I reverted a backup, and now I’m not using service mesh with consul, but I will keep an eye if it keeps creating certificates (I set then for 90-day expiration now for 365 days as I disabled the connect inject)