Is that the ca.crt the one that you used to sign node-01.crt?
I suggest taking apm-server out of the equation for a moment, and verifying the certificate with curl or similar. What happens if you run this?
curl --cacert /etc/apm-server/certs/ca.crt https://node-01:9200