Istio with API Gateway using Mutual TLS - Key Rotation requires downtime

Hello Team ,

We have performed below steps for setting up Mutual TLS between API Gateway and Istio.
This works good, however changing certificate on istio or having multiple client cert does not work.

Design(Below scenario works):

i.e. below works:
kubectl create -n istio-system secret generic apigateway-peak-ai-newhe0d
– --from-file=ca.crt=apig-cert-newhe0d.pem
However if we have to rotate client certificate, it requires brief downtime as istio does not work with multiple client certificate.
i.e :
Reference: Generate and configure an SSL certificate for backend authentication - Amazon API Gateway

@YangminZhu Could you take a look?