In the Istio-based service mesh add-on (currently in public preview) for Azure Kubernetes Service, by default the Istio certificate authority (CA) generates a self-signed root certificate and key and uses them to sign the workload certificates.
To protect the root CA key, you should use a root CA, which runs on a secure machine offline. You can use the root CA to issue intermediate certificates to the Istio CAs that run in each cluster.
The Istio add-on now allows you to bring your own certificates and keys for Istio CA. An Istio CA can sign workload certificates using the administrator-specified certificate and key and distribute an administrator-specified root certificate to the workloads as the root of trust.