What's in ca.crt is it the chain or just the root cert?
What I would normally do in your case is:
configure ES to send the whole chain (or at least the leaf & intermediate)
configure clients to trust the root only.
Configuring ES to use the chain can be done by concatenating the certificates together and using that chained certificate file for xpack.security.http.ssl.certificate
You can follow the steps here
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.