Hi there,
I was under the impression that private keys should remain on the computers they we're created on and never be transferred from them.
In general this is a very good practice. If this is the best practice or optimal practice for you, your organization and your use case depends on many factors and is not easy for anyone on these forums to make the decision for you. You need to factor in your organizations security policy, your systems threat model, or in the simplest form decide for yourself what are the trade-offs between usability and security you are willing to make.
I Assume you are talking about elasticsearch.ssl.certificate and elasticsearch.ssl.key. No these are not meant to be the same keypair that you use in any of the Elasticsearch nodes.
These two can be set if you want kibana to perform TLS client authentication when communicating with Elasticsearch ( instead of using elasticsearch.username and elasticsearch.password). In order to set this up you need to enable a PKI authentication realm in Elasticsearch and create a key and certificate where the certificate is trusted by Elasticsearch.