I have a service exposed on the internet at my-mtls-protected-service.my-company.com. It is an Nginx configured for mTLS. The root certificate is the same as I used for generating the CAs of my Istio (1.12) meshes.
Now I want the workloads in my Istio meshes to be able to communicate with my-mtls-protected-service.my-company.com using the autogenerated certificates from istiod.
I have added my-mtls-protected-service.my-company.com as a ServiceEntry, and then tried to enforce ISTIO_MUTUAL using a DestinationRule. When running curl towards my-mtls-protected-service.my-company.com, from the main container of a meshed pod, the Istio proxy still not provides the autogenerated certificates.
The logs of the sidecar proxy (log level: debug) states this:
envoy connection X509_verify_cert: certificate verification error at depth 1: unable to get local issuer certificate
Which I guess is an indication of Istio proxy not considering its /run/secrets/istio/root-cert.pem.