You could do this in two rolling restarts.
- Add a new root CA to the
xpack.ssl.certificate_authorities array on all hosts.
- Perform the first rolling restart.
- Replace the TLS certificate on each node.
- Perform the second rolling restart. The new node certificate will be trusted since the CA cert was added for the first rolling restart.
- Optionally remove the old CA certificate and perform a rolling restart.
I think we are on the same page. The important point is nodes need to be restarted for certificate changes to take effect. Additionally, trust must be maintained between the nodes to ensure error free inter-node communication.