While strugling with this I found this useful snippet Trust custom CA when using a custom GeoIP endpoint - ingest.geoip.downloader.endpoint · Issue #117624 · elastic/elasticsearch · GitHub which brough all the pieces together.
When using the the ES bundled keytool the JDK cacerts file location is irrelevant and the command to add my_corp_root_ca.crt to the JDK cacerts was /usr/share/elasticsearch/jdk/bin/keytool -import -trustcacerts -cacerts -noprompt -alias mycorprootca -file /path/to/my_corp_root_ca.crt