A co-worker discovered that OpenSSL 1.1.0f on our Debian 9 (Stretch) Logstash server box (Debian 4.9.30-2+deb9u1 (2017-06-18) x86_64) was the source of our SSL certificate/key problem.
Another co-worker created the necessary certificates and keys on a different Debian 8 (Jessie) box with OpenSSL 1.0.1t and copied the certificates/keys to our Debian 9 (Stretch) Logstash server. We no longer see the errors reported in this issue.
Companion issue: PKI between Logstash and Winlogbeat