Istiod is behind Gateway Handling TLS

I am trying to integrate Istio with VM’s.

I have Istio 1.10 running on AWS EKS. I’ve deployed IngressGateway exposed as type LoadBalancer with DNS name as and I have provided certificate signed with my dns to the Gateway, protocol: https port 15020, tls: SIMPLE

Istio sidecar running on VM is successfully connecting to remote Istiod when I only provide the root certificate for my dns name in /etc/certs/root-cert.pem, initial connection is using the jwt token, after token expires Istiod is complaining “Authenticator ClientCertAuthenticator: no verified chain is found;”

PROV_CERT = /etc/cert
OUTPUT_CERTS = /etc/cert

what else I’m missing?

The problem is that Istio sidecar is not using the cert chain