Different CAs for server / client ingress mTLS

I am trying to build on the secure ingress docs and configure Istio to use a different CA for client verification than that which signed the server cert. Istio does not seem to support this.

Specifically, I have an ingress gateway with a server block like so:

  - hosts:
    - '*.foo.dev'
      name: https
      number: 443
      protocol: HTTPS
      mode: MUTUAL
      credentialName: foo-tls

foo-tls is created by cert-manager and has the fields tls.crt, tls.key, and ca.crt. ca.crt is not the ca.crt I want to use for clients – it is the cert of the CA which signed tls.crt.

I figured, then, that I could put the alternate CA crt at foo-tls-cacert, as the docs indicate. However, even when I do that, istio still prefers the ca.crt in foo-tls. It is only once I delete the ca.crt from foo-tls that foo-tls-cacert is used and my client certs are accepted.

I would expect the more specific foo-tls-cacert to override the ca.crt in foo-tls. Is there a way to support a separate CA cert for ingress clients without mangling cert-manager’s output?