--ca expects a PKCS#12 store and you are passing a PEM encoded certifcate, so it fails. See elasticsearch-certutil | Elasticsearch Guide [8.11] | Elastic
--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter cannot be used with thecaorcsrparameters.
You should use --ca-cert and --ca-key instead to pass the CA key and certificate since you have them in PEM format.
An issue is that when you created the CA key and certificate in the first command with
bin/elasticsearch-certutil cert ca --pem
you didn't specify --keep-ca-key so the key was not stored on file. That's unfortunate because you only have the CA cert now and you cannot sign any more certificates with that CA. You probably need to generate a new CA key and certificate and regenerate your node certificates.