What all credentials should be configured in metricbeat, and how, while working with secure elasticsearch having https and built in user roles?

Hi,

I am using elastic stack 7.9. I have a 3 node elasticsearch cluster with https enabled using http.p12 and I have configured kibana as well (but kibana still runs in http). I have set up credenatials for built-in users in elasticsearch (elastic, apm_system, kibana_system, logstash_system, beats_system, and remote_monitoring_user).

Now, inorder to set up metricbeat (including kibana dashboards), I set up the elasticsearch username and password using the below commands;

./metricbeat keystore create
./metricbeat keystore add output.elasticsearch.username
./metricbeat keystore add output.elasticsearch.password

I provided beats_system as the username, and then gave its password.
Question1: Is this correct and right way?
Question2: Since beats_system is a built-in user, should I explicitly mention as the username or will metricbeat automatically set is as default (so that I don't need to mention the username in keystore)

Then, I can see that there is another set of configurations;

setup.kibana.username
setup.kibana.password

Question 3: Should I add these entries to the keystore as well? If yes, is the username beats_system?

Question 4: Do i need to copy key files / any additional configuration is required?

Thank you.