Certificates rollover (not demo certs)

Hi all.
First of all, thanks to the search guard team you are doing a great job!.

I have a cluster running with my own certs, (generated with tlstool) and i need to rollover the certs.

I allready created the new ones and copied to the config folder.
If i restart one node, it fails to load because the new cert is different to the active one (certificate_unknown). So I need to reastart all the nodes.

But if i do that i will end with all the indices in red status?

I am running elasticsearch in containers, and mounted the container folder /usr/share/elasticsearch/data into the host to keep data when container restarts. The problem is when i restart the container elastic start to moving shards to rebalance shards/replicas, and for my previus experience if i restart all of them without a batch interval of 10 mins (the time needed to rebalance) i loose data and end with red indices.

its there another way to rollover certificates? or a best way to approach this?

thanks to you all!

edit: i was missing to change the pemkey pass. so doing it i receive also

PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors