You will have to try it to be sure, you are well off the beaten path and it would be far too time-consuming for me to try and reproduce it myself. But I believe you can do everything we've suggested as a sequence of rolling restarts.
Thanks @DavidTurner for the guidance on using client_authentication: none with truststore - this approach has worked for us! We've successfully deployed the truststore across our cluster and implemented the dual-trust configuration. Initial testing looks great - we migrated one test node to the new CA certificate and it joined the cluster seamlessly while other nodes are still using the old CA.
The mixed CA topology is stable so far with no connectivity issues. Currently testing the full migration workflow in our test environment and will update if any issues arise during the broader rollout. Really appreciate pointing us in the right direction on this!
Also a big thank you to @leandrojmp , @RainTown , and @rdennehy for the deep-dive analysis and the alternative workarounds suggested!