@fara I see. I presume you are having a different component (like stunnel or some proxy) in front of ES to enable TLS. Rally under the hood uses the elasticsearch-py client and this is what handles the TLS part.
Can you try passing the same certs as parameters in a curl command as mentioned earlier and see if they work?
No username/pass needed just a simple:
curl --cacert /tmp/cacert.pem https://10.10.10.10:31504
If this works the server isn't requesting client authentication; if it fails indicating client auth is needed, you can try instead:
curl --cacert /tmp/cacert.pem --cert /tmp/client_cert.pem --key /tmp/client_key.pem https://10.10.10.10:31504
This should help clarify the exact configuration and how to proceed further.