Pod to pod communication security

I have a k8s cluster created using kops and have cert-manager external issuer, certificate resource in the namespace. I am using helm for the installation of CRDs and cert-manager. My external issuer is fetching the certificate which has:
X509v3 Basic Constraints: critical
Which is neither an ICA nor a root CA. So by doing this I cannot issue certs in the workload. And the istio-csr-xxxxxx pod never comes into READY state.
Is there any other way of securing the pod to pod communication ?