--cacert <CA certificate>
(TLS) Tells curl to use the specified certificate file to verify the peer. The file may contain multiple CA certificates. The certificate(s) must be in PEM format.
The curl option requires the cert in a PEM format but you're passing the cert in a PKCS12 format.
You can convert it with something similar to:
openssl pkcs12 -in certs/elastic-certificates.p12 -out certs/elastic-certificates.crt -nokeys
But be advised that, from my reading of the file names, you're passing in client certificates as certificate authorities.
Since the conversation strayed away from the original topic, maybe it's worth to open another thread, or better still find something that applies to your present situation, such as Mutual tls/ssl on elasticsearch - #17 by SukeshGupta .