Had some time off and was then on other projects, but I try never to leave a thread hanging.
Our registrar provides the cert and chain in separate PEM files. So I just needed to concatenate those and feed it in as pemcert.filepath. The pemtrustedcas_filepath was downloaded from the registrar in PEM format and worked.
My real problem was I hadn’t run securityadmin.sh to set things up, I’d made sure to remove all the demo items before starting the server (that should really be a flag for the RPM repo version). One wrinkle is that securityadmin.sh must have the key in pk8 format, which I was able to create with.
openssl pkcs8 -topk8 -inform PEM -in /etc/opensearch/key.pem -out /etc/opensearch/key.p8 -nocrypt
I realise this means I’m using the same key for both node and admin, but who’s going to get a separate cert for every function?