Proxy failed to connect to istiod.istio-system.svc:15012 with user-specified certificate/secret

I’m trying to upgrade from Istio 1.5.4 to 1.7.4 and looking for help on how to use user-specified certificate for in-cluster mtls communication.
The user-specified certificate can be mounted via istio-certs for every Istio component with Citadel disabled in Istio-1.5.4.
- name: istio-certs
secret:
secretName: used-specified.istio-pilot-service-account
optional: true

      volumeMounts:
      - name: istio-certs
        mountPath: /etc/certs
        readOnly: true

In Istio-1.7.4, it allows user-specified certificates for ingressgateway/egressgateway with mountMtleCerts: true, but not istiod(pilot). Both ingressgateway/egressgateway show the following error when user-specified certificate is used in proxy:
2020-11-16T21:27:13.372694Z error xdsproxy failed to connect to upstream istiod.istio-system.svc:15012: context deadline exceeded
2020-11-16T14:27:13.373211Z warning envoy config StreamAggregatedResources gRPC config stream closed: 2, context deadline exceeded
2020-11-16T21:27:14.592114Z warn Envoy proxy is NOT ready: config not received from Pilot (is Pilot running?): cds updates: 0 successful, 0 rejected; lds updates: 0 successful, 0 rejected

The documentation is not clear to me how/when to use the pilotCertProvider, mountMtlsCerts, and dns certificate along with user-specified certificate.

Any help will be appreciated…

thanks,
Patrick