For Istio add-on. Citadel creates root certificate and root private key, and stores the cert and key into a Kubernetes secret istio-ca-secret. That istio-ca-secret is the source of truth.
Citadel periodically checks workload certificate, and rotates workload cert if the cert is about to expire. The workload cert is signed by the root cert.
In Istio 1.1 release, Citadel does not automatically rotate root cert. There is a script that rotates the root cert using the existing root private key. https://istio.io/docs/ops/security/root-transition/.
We are working on supporting Citadel auto root cert rotation for 1.2+. @Oliver