Finally i was able to do it in several steps:
Firstly, only add the newca to the secret that stores the certificates and setting:
- name: xpack.security.transport.ssl.certificate_authorities
value: '["oldca", "newca"]'
Once the cluster trust the new CA, i can change the transport certificate of the all nodes keeping both CAs in the cluster trusted certificate_authorities
And finally, you can remove the old CA from the cluster trusted certificate_authorities.
Regards