Istio will sign all workloads’ (Pod’s) CSR via one root cert and private key. It means certs for all workloads will be signed by the same root cert/private key.
In some cases especially edge scenarios, there are multi users/tenants in a single mesh iin the cluster. Tenants require strong security isolation: certs for different tenants’ workloads must be signed from different root cert.
So we need make istio CA suppor this scenarios, to sign the workload cert from different tenant with different root cert.
You can comment in this issue multi Root for workload mTLS for different users/tenants · Issue #32502 · istio/istio · GitHub if you have any thoughts/comments for this.