Thank you for that, I already tried all of that. The issue is related to the step in the Elasticsearch instructions I referred to above that states use keytool to trust the new CA. keytool must have a password and does not accept empty passwords and I do not have a password for the keystore. So I could not proceed. Adding a password to the keystore still did not solve the issue. The question now is whether the step to get the cluster to trust the new CA is actually required if all certificates are being replaced because the CA has expired?
I tried on a dev cluster, where I generated new CA and new certificates and merely replaced all certificates on all nodes, everything seems to work. Does that make sense, in which case why does the documentation has an extra step?
The instruction given in the documentation is to avoid complete downtime of the cluster when replacing close-to-expire CA certs. This is what people normally wants in a production environment. But if you could afford some downtime or if the CA has already expired, you can consider to skip this step.