Istio mTLS CA certs request SAN list with istio >1.6

I am looking for the way to request CA certs which is signed by CA authority for the mTLS.
trusted domain is cluster.local
I need to request a root cert and nerd to provide SAN list, what its going to be in the SAN list so that all the workloads with in the kubernetes cluster gets the certs and signed by root cert.

cc @Oliver for CA certs related issues.