I've opened PemUtils fails to parse PKCS#8 private keys when using PBES2 · Issue #78901 · elastic/elasticsearch · GitHub
It looks like (at least in recent versions) OpenSSL defaults to using PBES1 when converting RSA keys to PKCS#8 (openssl pkcs8 -topk8) but PBSE2 when using openssl req.
Parsing PBES2 in Java is a little trickier than PBES1, and we don't support it correctly at the moment.
You can probably work around this by generating the key with -nodes and then encrypting it with
openssl pkcs8 -topk8 -in RootCA-nodes.key -out RootCA.key -v1 PBE-MD5-DES