Replace the existing unsigned certificate by importing the new signed certificate from your CA into the node keystore:
This name of the signed certificate file that you received from the CA.
keytool confuses some PEM-encoded certificates with extra text headers as DER-encoded certificates, giving
java.security.cert.CertificateParsingException: invalid DER-encoded certificate data. The text information
can be deleted from the certificate. The following openssl command will remove the text headers:
openssl x509 -in node01-signed.crt -out node01-signed-noheaders.crt