@aold619 Did you test whether the generated enrollment-token is usable by Kibana?
I suspect it won't be usable because you added another (different) CA key/cert into the HTTP truststore. This makes the token generation process work. But the token will be generated with the CA that is not the one that signs your HTTP cert. Hence Kibana will fail to validate the HTTPS connection to Elasticsearch.
What you want is to add original CA's key to the truststore. The original CA is the one that you used to generate the http certs with the command ./bin/elasticsearch-certutil http
. Maybe this is what you actually did? If so, could you please clarify this in Step 1?
Btw, we have a public issue to track this problem Generating enrolment token for Kibana should not require the CA key · Issue #89017 · elastic/elasticsearch · GitHub