Istio cert renewal in istio.default secret - Kubernetes cluster

The kubernetes secrets in istio "istio.default " are getting renewed by itself for every 3 months. And it is expected to get pushed to all istio pods. But sometimes we observe it is not, and require restart of all istio pods.

Getting the below message in citadel logs, and this is requiring the istio-policy and istio-ingress pods to be restarted (not all the time) to effect the new cert

2020-06-06T22:19:37 .136889Z info Refreshing secret kube-system/istio.default, either the leaf certificate is about to expire or the root certificate is outdated

Version of istio: 1.1.4
Kubernetes version: 1.13.4

Anyone else has faced similar issue and any suggestions ?