You'll need to use keytool, which is a command that ships with Java.
Elasticsearch ships with a bundle JavaVM, including the keytool command. Look for a jdk/bin directory in your Elasticsearch installation directory.
Step 1:
One 1 node from "local cluster", determine the password for the transport.p12 keystore:
elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
Step 2:
One that same node, export your transport CA
keytool -exportcert -rfc -alias transport_ca -keystore config/certs/transport.p12 -storepass "THE_PASSWORD_FROM_STEP1" > config/certs/transport_ca-cluster1.crt
Step 3:
One 1 node from "remote cluster", determine the password for the transport.p12 keystore:
elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
Step 4:
One that same node, export your transport CA
keytool -exportcert -rfc -alias transport_ca -keystore config/certs/transport.p12 -storepass "THE_PASSWORD_FROM_STEP3" > config/certs/transport_ca-cluster2.crt
Step 5
On every node in the "local cluster" (cluster 1), import the CA from "remote cluster" (cluster 2) into the transport truststore
keytool -importcert -file /path/to/transport_ca-cluster2.crt -keystore config/certs/transport.p12 -storepass "PASSWORD_FROM_STEP1" -alias "ccs_remote_ca"
Step 6
On every node in the "remote cluster" (cluster 2), import the CA from "local cluster" (cluster 1) into the transport truststore
keytool -importcert -file /path/to/transport_ca-cluster1.crt -keystore config/certs/transport.p12 -storepass "PASSWORD_FROM_STEP3" -alias "ccs_local_ca"