External CA key/cert expiration

Hi there,

I have questions around the expiration of the external CA key/cert that’s plugged into Citadel.

  1. I do not suppose we can follow the instructions on https://istio.io/docs/ops/configuration/security/root-transition/ exactly as written because they seem to be tailored to the built-in self-signed certs. Correct?
    Is there a separate instruction page and/or script for external CAs?

  2. Also, the page says “This may have some impact on your traffic” and then links to the Envoy hot restart page, which tells me that it’s designed to NOT drop connections. What is the “impact” then that the page is warning us about?

  3. In general, whether or not we’re using an external CA, should we expect downtime when upgrading the signing cert/key? Or should updating the “cacerts” secret just work behind the scenes?