Our customer was surprised that istiod sent expired CA certificate to a proxy. Look at this comment for more context: https://issues.redhat.com/browse/OSSM-8226?focusedId=25773394&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-25773394.

Currently, this is expected behavior in Istio, but some users, like our customer, may want to configure Istio to prevent sending expired certificate. This could be easily done by adding a feature flag, like PILOT_BLOCK_EXPIRED_CERTIFICATES set to false by default.
This flag will cause downtime of applications, which expect to receive an expired secret, but I guess this may be preferred over using expired certificates in some cases.