Is "providing your own signing CA" actively supported?


I’ve been prototyping setting up istio to have a shared root of trust as another mesh. For this I’ve created a self signed root CA and used it to sign CAs for istio and the other mesh, then followed the “Plug in CA” doc Istio / Plug in CA Certificates to get istio to use the CA is its signing cert.

I got istio to use the CA I’d given it, but couldn’t find any other documentation than that “how to” article and resort to reading source code to work out issues like the cacerts secret has to have specific key names and that this has to be setup before istio is installed. Reading the source code I noticed a comment (istio/istio_ca.go at 7efe0f69e37376e91ec1d2aff0f7a4239a46234b · istio/istio · GitHub). I didn’t fully parse what it was referring to but it suggested that this “Plug in CA” feature is there for back compatability but is otherwise deprecated these days. Is that right?

Is there another up to date way to “plug in CA”? Or is that feature not really supported these days? Is there any documentation that I’ve missed?

My remaining technical questions I haven’t found out yet are: “is there a way to rotate the ‘Plug in CA’”? and “is there a way to provide two root CAs to allow for a smooth transition when rotating the Root CA as well as the ‘Plug-in CA’”?

I’m aware that there’s other solutions to “securing communications between meshes”. Right now I’m just trying to establish what’s possible, rather than selecting a solution to that problem.