Why do step 4?
Elasticsearch is perfectly capable of handling PEM certificates and keys. Is there a reason you're converting them to PKCS#12 - it seems redundant and is just introducing more pain.
But as for your actual question...
openssl pkcs12 will change the password on the private key to match the password of the pkcs#12 keystore. So although the password was keypass when it was a standalone PEM formatted key, the password is changed to storepass when you add it to the keystore.
But that is a specific openssl behaviour. Other tooling (e.g. the JDK's keytool) can store keys with a different password than the keystore's password.