HTTP Certificates when CA is a chain

What's in ca.crt is it the chain or just the root cert?

What I would normally do in your case is:

  1. configure ES to send the whole chain (or at least the leaf & intermediate)
  2. configure clients to trust the root only.

Configuring ES to use the chain can be done by concatenating the certificates together and using that chained certificate file for xpack.security.http.ssl.certificate
You can follow the steps here