I’ve double-checked the certs of the three members; all three have the exact same subject, except for the value of CN; e.g.
$ openssl x509 -in myCert.pem -inform PEM -subject -nameopt RFC2253
subject= emailAddress=dev-team@mycompany.org,CN=mongod1,OU=ops,O=myCompany,L=myCity,ST=myState,C=US
I’ve gone over the documentation you’re referencing several times and I’m meeting all the requirements, namely:
- All certificates were created from the same CA
- All certificates contain a non-empty value for at least one of the following: O, OU, or DC
- All certificates have the exact same DN (excepting the CN value)
- CN value on each certificate matches the hostname used by the other members
- extendedKeyUsage is present on all certs and has value clientAuth (TLS Web Client Authentication)