@CloudBeard
I’m limited on knowledge with this type of issue, but I have been in this situation with Graylog before and had the error you have also received. With some trial and error testing I was able to get it to work.
The first problem I had was permission on the where the certs were kept, can Graylog access them?
Second, are the certs incerted in the trusted store and is graylog configured to use the trusted store?
Examples;
Modify the JVM Setting to include -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks in the GRAYLOG_JAVA_OPTS.
keytool -import -trustcacerts -file graylog-certificate.pem -alias dns.name.of.server -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts
https://docs.graylog.org/en/3.2/pages/secure/sec_graylog_beats.html#ssl-tls-prework
I have not used a wild card certs yet, but have you tried not to use a wildcard cert for troubleshooting purposes?
When creating my certs for lab testing I used these links below. I did have to reconfigure the step/s to work in my environment.
Hope this helps, sorry I dont have a direct answer for your issue but maybe these links might direct you in the right place.