FWIW, on an Ubuntu Linux VM, I was able to connect up an endpoint to elasticsearch using pki certificates. An issue I noticed was that I needed to restart endpoint in order for it to pick up changes in the system's trusted certificates.
I ran the following two commands in a root shell to add the certificate:
$ openssl pkcs12 -in certs/http.p12 -nokeys -out /usr/local/share/ca-certificates/elasticsearch-http.crt
$ update-ca-certificates
After restarting the endpoint, it was able to connect up fine.
Also, this particular line in elasticsearch's config
xpack.security.http.ssl.truststore.path: certs/http.p12
did not affect the ability to connect, whether commented out or not.