Sweet, this is almost entirely working.
Just to document what I’ve done based on your amazingly-helpful suggestions.
I created a pem file from mycert.crt and mycert.key that can be used with mitmdump --client-cert. cat mycert.key mycert.crt > mycert.pem.
Once that is done, then I can run this mitmdump --upstream-trusted-ca custom_ca_bundle.pem --client-cert mycert.pem
import requests
proxies = {'http' : 'http://localhost:8080',
'https' : 'http://localhost:8080'}
url_1 = 'http://corporate.intranet.site'
url_2 = 'https://secure.intranet.site'
requests.get(url_1, proxies=proxies)
>>> <Response [200]>
requests.get(url_2, proxies=proxies)
>>> Error: tlsv1 alert unknown ca sni: mycert domain name
requests.get(url_2, proxies=proxies, verify=False)
>>> <Response [200]>
From my app, I can see the ssl domain name of the connection coming in is my proxy server, wonderful. Last question for now would be whether you knew why my own cert is throwing certificate verification errors. I added the text of mycert.crt (–begin certificate-- etc) into my custom_ca_bundle and the issuer of mycert.crt should already be in that bundle anyways. The ~/.mitmproxy/mitmproxy-ca-cert.pem text is also in my custom_ca_bundle.
Thanks again for the education and help mhils.