Certificate bootstrapping for SDS

I’m doing my masters’ thesis about Istio’s security and I haven’t found exactly which are the paths of the certificates and keys the sidecar and the CA authority use in the SDS bootstrapping, right before new ones are created through the SDS process. Are those default paths selected by Envoy or are they specified in the Istio source code? Are they under /etc/certs in both entities?