and... because nothing is easy, I thought I would try this to use keytool to create a truststore:
https://docs.oracle.com/cd/E66686_01/pt855pbr1/eng/pt/tpst/task_ConfiguringSSLBetweenPeopleSoftAndElasticsearch.html?pli=ul_d73e131_tpst
When I attempt to import my CA step 6 from the above page (having skipped step 4), I get this when trying to import my pfx:
keytool error: java.security.cert.CertificateParsingException: signed fields invalid
And this when I convert it to a cer:
keytool error: java.security.cert.CertificateException: No certificate data found