This is probably somewhere between Configuration and Security.
I’m looking at making it possible to supply a custom root certificate for the JWKSResolver, so that if you’re using jwksUri in a Policy, you can host your JWKS on a HTTPS server with a self-signed or corporate CA certificate. Is the MeshConfig the right place to do this or am I looking in the wrong place here? Any hints would be greatly appreciated 
For more context see the corresponding issue.
Thank you!