How to Update Multi-AZ DB clusters (New) CA Certificate

I'm having the same issue and am unable to modify individual db instances of my multi-AZ cluster

For everyone coming here. This is my workarround. Before deploy the CFN template, we override the CA Certificate

aws rds modify-certificates --certificate-identifier rds-ca-rsa2048-g1

So the new instance will use rds-ca-rsa2048-g1

And then, we deploy the CFN template

  CMSDBCluster:
    Type: AWS::RDS::DBCluster
    Condition: IsProduction
    Properties: 
      AllocatedStorage: 100
      BackupRetentionPeriod: 30
      DatabaseName: !Ref CMSDBName
      DBClusterIdentifier: !Sub "${App}-${Env}-cms"
      DBClusterInstanceClass: db.m5d.large
      DBClusterParameterGroupName: !Ref "CMSDBClusterParameterGroup"
      DBInstanceParameterGroupName: !Ref "CMSDBParameterGroup"
      DBSubnetGroupName: !Ref "CMSDBSubnetGroup"
      DeletionProtection: true
      EnableCloudwatchLogsExports: 
        - postgresql
      Engine: postgres
      EngineMode: provisioned
      EngineVersion: "15.3"
      Iops: 1000
      MasterUsername: !Sub "db_${Env}_admin"
      MasterUserPassword: !Ref CMSDBPassword
      NetworkType: IPV4
      PerformanceInsightsEnabled: true
      PerformanceInsightsRetentionPeriod: 7
      Port: 5432
      PreferredBackupWindow: "15:00-16:00"
      PreferredMaintenanceWindow: "Sun:16:05-Sun:17:00"
      PubliclyAccessible: false
      StorageEncrypted: true
      StorageType: io1
      VpcSecurityGroupIds: 
        - Fn::GetAtt: CMSDBSecurityGroup.GroupId
      Tags:
        - Key: application
          Value: !Sub ${App}
        - Key: environment
          Value: !Sub ${Env}

The result it will use rds-ca-rsa2048-g1 instead of the old one. I hope in the near future, aws will add CACertificate to AWS::RDS::DBCluster resource if the engine is postgres or mysql. Thanks