Hey @fara,
Just to be on the safe side are you able to issue:
curl --cacert /tmp/cacert.pem -u elastic:<yourpassword> https://10.10.10.10:31504
Also your esrally command is missing the username and password for Rally. It should look like:
esrally --track=pmc --target-hosts=10.10.10.10:31504 --pipeline=benchmark-only --client-options="use_ssl:true,verify_certs:true,ca_certs:'/tmp/cacert.pem',client_cert:'/tmp/client_cert.pem',client_key:'/tmp/client_key.pem',basic_auth_user:'user',basic_auth_password:'password'"
I quickly verified the above command against a simple TLS enabled cluster in Docker and it worked fine.
Also note (depending on the SSL verification mode value on ES), that you don't always need to specify the client_key.
Dimitris