There is one more option that you could use but is usually not considered as a best practice from a security standpoint in some scenarios.
But considering that you are talking to a service running on localhost and if you are not worried too much about the CA who signed the certificate of the agent you can disable SSL certificate validation by setting the CONSUL_HTTP_SSL_VERIFY variable to false.
By doing the above you don’t have to extract the connect CA and set the CONSUL_CACERT variable to talk to Consul.