More crypto problems with Elasticsearch

I am trying to upgrade a winlogbeat agent on Windows from version 6.6.1 to version 7.2. According to the documentation,, I must first upgrade from 6.6 to 6.7, load the new template and then upgrade to 7.

https://www.elastic.co/guide/en/beats/libbeat/7.2/upgrading-6-to-7.html

In my case, I am sending the winlogbeat output to Logstash, which then outputs to elasticsearch. Evidently, I need to temporarily bypass logstash and run the setup by connecting directly to my elasticsearch cluster via,

.\winlogbeat.exe setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["192.168.10.90:9200"]'

Fine. However, my cluster uses SSL so the example in the documentation above fails with an SSL error. I assume I need to use https and -E to include all the crypto settings. My new command looks like:

.\winlogbeat.exe setup --template -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["https://192,168.20.90:9200"]' -E 'output.elasticsearch.ssl.certificate_authorities: ["C:/certs/elastic-ca.crt.pem"]' -E 'output.elasticsearch.ssl.certificate: "C:/certs/wb1.crt.pem"' -E 'output.elasticsearch.ssl.key: "C:/certs/wb1.key.pem"'

No joy. I now get the error for the above command:

x509: certificate signed by unknown authority

On the elastic side, I see the log entry:

javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

These are exactly the same key and certs (public and ca) generated by my elasticsearch ca and being used by winlogbeat to send events to logstash every day. Logstash is configured to use exactly the same ca cert in its elasticsearch output section. What am I missing here? I have shed many tears over crypto settings in all Elastic products.