Do you mean migrating without downtime? If yes and in case you need to change the CA it’s a two step process (means: you need to to a rolling restart of your cluster twice). First add your new CA to every node and do a rolling restart of the whole cluster. Then update the certificates for every node (thats the second rolling restart). In case you want remove the old CA from the chain of trust you need a third rolling restart (but maybe you can defer that until you need to restart anyhow - if your old CA is somehow compromised thats of course not an option)
See also changing CA and host certificates