OK, the part of not starting the nodes in the cluster before finalizing both minimal and basic security has not been very clear to me, thanks for mentioning that, will give that a try.
But, just to be perfectly clear here. I need to take down all nodes in the cluster, set the xpack.security.enabled-setting to true, setup TLS between the nodes. Then start the nodes to be able to create passwords (part of the minimal security settings)?
Can I generate certificates (call Elasticsearch-certutil) without having Elasticsearch running?