I think I probably answered most of your questions through your other post, but I'll fill in a few details. Please post a followup if I've missed something.
It's important to be really clear about client certificates vs server certificates (which you might be, but it's not entirely clear from your post)
When enabling TLS on Elasticsearch you must supply a server certificate (that certgen can generate for you), but client certificates are optional.
In your curl example, you're using the server ca.crt to verify the server certificate, but you're not supplying a client certificate.
If you want to rely on TLS to distinguish between different clients (such as different logstash instances) then you need to enable client certificates. The instructions for the PKI realm can guide you through that process.
You can use certgen to generate client certificates, but you would typically separate your client certificates from your server certificates.