Help needed to add custom header on ingress traffic

I used an nginx ingress and now I want to use istio in my kubernetes.
So I am trying to get rid of the nginx and try to use the istio gateway and virtualservice.

I am currently setting custom headers with certificate values from http://nginx.org/en/docs/http/ngx_http_ssl_module.html via nginx with

more_set_input_headers

I am quite clueless how to accomplish this task with the envoy proxies.
Is there someone who could give me a hint or how-to how to do this.

I tried reading and testing from the following references:

https://istio.io/docs/reference/config/networking/virtual-service/#Headers-HeaderOperations

https://istio.io/docs/reference/config/networking/envoy-filter/

https://www.envoyproxy.io/docs/envoy/v1.10.0/api-v2/api/v2/route/route.proto

https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter

Your help is much appreciated!

So I am able to add the header to the request, but the header is wrong. I try to read values from the certificate sent by the user and add them to a custom header, but the values are not set.
Note that the custom header is different to the one shown here, here are just the values listed I am trying to receive.
Note that the syntax and indentation here is wrong on purpose for better readability.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: xxx-route
  namespace: default
spec:
  gateways:
    - mesh
    - default/xxx-gateway
  hosts:
    - xxx.example.com
  http:
    - name: myname
      headers:
        request:
          add:
            CUTSOMHEADER: 
"%DOWNSTREAM_PEER_FINGERPRINT_256% 
{%DOWNSTREAM_PEER_ISSUER%} 
%DOWNSTREAM_PEER_SERIAL%
 %DOWNSTREAM_TLS_CIPHER%
 %DOWNSTREAM_PEER_SUBJECT%
{%DOWNSTREAM_PEER_CERT_V_START%}
 {%DOWNSTREAM_PEER_CERT_V_END%} 
      route:
      - destination:
          host: xxx.default.svc.cluster.local
          port:
            number: 8080

See envoy-custom-headers for details where I got the variables from.

Can someone help me, why the values are not read from the certificate?