The CA is the Certificate Authority that the full chain certificate was generated and signed from.
If you're not familiar with these processes, I suggest that you read about them and/or contact someone in your company that understands how your certificates are generated from the CSR you submitted.
You submitted a CSR to someone or some API that API or someone should know how to provide you the CA.
I am only a mid-level certificate expert and generally there are guru levels. If you need more information contact someone in your company or you can read about it.
My working understanding is this... And I've worked with many self-signed private and public CAs.
Public CAs are already on your host like ones that work with GoDaddy or let's encrypt etc because they actually have a root CA that are trusted with the operating system already
The fact that your curl call does not work means that your CA is private or not automatically trusted by your host and you need to get that in order to do certificate validation.
Often companies the generate their own CAs install those CAs as part of host setup. That may or may not be how your company works.
In short, you need to talk to somebody who knows about how you generate certs and how to trust them within your environment ...apologies but I can't help you with your internal processes.
Elasticsearch does nothing specific that any other client curl webserver, Apache, Nginx etc all do