Hi @DavidDPD Welcome to the community, and apologies for the frustrating experience.
Yes a bit frustrating and probably could be documented better.
I think perhaps there is a fundamental "disconnect"
At least this is how I understand it....
When you want to use your own certs etc, you are no longer using security auto configuration and thus when you use your own certs you should no longer be trying to "enroll" another node in the cluster using an enrollment token... the elasticsearch-create-enrollment-token tool is only used with security auto configuration.
Note from the enrollment token command line docs here
elasticsearch-create-enrollment-tokencan only be used with Elasticsearch clusters that have been auto-configured for security.
Its OK if you initially did security auto-configuration you can update the cert settings and move forward.
Once you have decided to use your own certs / .pems etc you should simply set up your certs and set the correct discovery and cluster formation settings. No enrollment token is necessary.
I.e. set the discovery and initial master nodes and the same cluster name and the new nodes should join assuming the transport.host is set correctly and there is network connectivity.
Perhaps someone else has a perspective.
There is a rather long history of how Elasticsearch got to security auto-configuration in 8.x, your use case is the way we all set it up prior to 8.x