Custom CA integration

Hi we are integrating istio as a service mesh into a production level application. Istio by default has its own self signed CA which issues certs to workload sidecars. However, we want to store the root/intermediate certificate in azure key vault for security purposes. How can I integrate this into the istio system. I was looking at Istio / Plug in CA Certificates but im not sure how to integrate it from keyvault or how others are setting up their root certs for production level applications.