As per https://istio.io/docs/concepts/security/ the diagram shows that citadel issues certs to sidecar proxies but in case we check and debug seems as if certs of perimeter proxies also issued by citadel. Are my findings correct?
Yes, that is correct. The certs Citadel issues to perimeter proxies are used when these proxies make mutually authenticated TLS (mTLS) connections to sidecars in the mesh.
There is a different mechanism for setting the certs the perimeter proxies use for serving external traffic: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway