Oooo, good call. I completely glossed over checking the crt.
Upon checking the CRT, there is no SAN section. Which means there might be something wrong with my signing cert. Which would also explain why using the elasticsearch-certutil failed as well.
I will go and start troubleshooting my signing process and report back what I find.
Good catch, and thank you.