CSR approval fails while running node_agent


I am trying to setup a VM to access our AWS based Istio service mesh. I am using the official documentation from https://istio.io/docs/examples/virtual-machines/multi-network/

After following all the documentation to copy certificates to the VM etc, I try to start node_agent and it keeps failing after retries with this error message
info pickfirstBalancer: HandleSubConnStateChange: 0xc00013a060, TRANSIENT_FAILURE
2020-01-24T09:43:08.781197Z info pickfirstBalancer: HandleSubConnStateChange: 0xc00013a060, CONNECTING
2020-01-24T09:43:38.004836Z info grpc: addrConn.createTransport failed to connect to {istio-citadel:8060 0 }. Err :connection error: desc = “transport: Error while dialing dial tcp i/o timeout”. Reconnecting…

I dont see any immediate logs in the citadel pod which is supposed to listen on 8060. Sometimes, this message is seen

info grpc: Server.Serve failed to complete security handshake from “”: remote error: tls: unknown certificate

I have verified the certificates by checking their content and they seem to be the same on the VM as well as the aws eks namespace.

Can someone please help on how to go about here? I am not sure where things are breaking.