My question is, how to generate this server certificate for Kibana?
This is slightly different. Users will access Kibana via their browser so the certificate that Kibana will use for https needs to be one that the browsers can trust. This usually means that you generate a CSR ( certificate signing request) and have it signed by a trusted (public or corporate) CA. You can use elasticsearch-certutil to create a CSR, see elasticsearch-certutil | Elasticsearch Guide [8.11] | Elastic
i.e
bin/elasticsearch-certutil csr --dns kibana.example.com
Now, under certain circumstances ( i.e. if the number of users accessing Kibana is small, you can control the trust anchors in the users browsers or OSes, testing reasons, etc. ) you might want to use self signed certificates or certificates signed by a CA that the browsers do not trust by default. Keep in mind that this will cause the browser to show a warning.
You can use elasticsearch-certutil to create a server certificate for Kibana, but Kibana doesn't yet support the PKCS#12 format so you'd need to create a PEM encoded key and certificate (by specifying the --pem parameter). An example invocation would be:
bin/elasticsearch-certutil cert --pem -ca path/to/your.p12 --dns kibana.example.com
Also, for logstash pipeline output to elasticsearch, what should we put in for "cacert =>"?
You need to set the CA cert file that you have created with certutil. However, Elasticsearch output Logstash plugin doesn't support PKCS#12 format so you would need to export the CA certificate in PEM format as such :
openssl pkcs12 -in ca.p12 -clcerts -nokeys -chain -out ca.pem
and use that as the value of cacert