We are running 3 node cluster , we need to implement the ssl policy for client and cluster . Can we do without any downtime.
for client yes, for cluster no.
You can spin up a single instance seeded with a current backup and run it as read-only database. Using DNS resolution or a external loadbalancer you can redirect all your traffic to that instance during maintainance window of your cluster.
That will at least provide a no downtime scenario w.r.t. reads.