Adding 3rd party CA to istio-proxy (for egress traffic)

I’m using a serviceEntry and a destinationRule to define a one-way TLS connection to an outside server high-availability list.
These servers have certificates from a common CA - not one that is globally trusted.
If I define the tls mode “SIMPLE” (with no other definitions) the traffic goes through.

But, I need the servers’ cert tp be verified against my particular CA, so that I know for sure the server is authentic.

How can I bring my CA cert into the proxy?
From the documentation, it’s likely to be in the path set in “caCertificates” of the proxy, but how do I put stuff into the proxy in the first place?

(I had rather have it done particularly for my proxy, as other services of the mesh will have their istio configuration - so the use of secrets is preferred).