Reported by: balki404
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html-single/service_mesh/index#annotations:46069672-f979-48e0-82f5-2589966fad04

With Service mesh 2.x, neither the bookinfo app namespace nor the service mesh control plane namespace contains secrets with the name pattern "istio.*". So, it's not clear as to how to force forward to new certs to the apps/workloads. May be to delete each of the app pods to force the cert push?. Please check and amend this section as required.

https://docs.openshift.com/container-platform/4.8/service_mesh/v2x/ossm-security.html#ossm-cert-manage-add-cert-key_ossm-security

Heading = Adding an existing certificate and key

Step 3 -  To make sure the workloads add the new certificates promptly, delete the secrets generated by Service Mesh, named istio.*. In this example, istio.default. Service Mesh issues new certificates for the workloads.

     $ oc delete secret istio.default