I didn’t personally create the client certificates so was unsure of the exact creation process. However, using OpenSSL verifies that they are signed by the root CA.
I was able to resolve all of the handshake issues in the Elasticsearch service as well. I had to add the root CA to the Java truststore and then create a keystore for the client certificate/key and specify it in the Java options.
Thanks for your help navigating TLS configurations. The links you forwarded were helpful.