How to produce certificates for use with mongo

I’m figuring out how to use Vault to replace shell scripts that previously generated certificates for use with mongodb, but my knowledge of SSL is not good enough to know how to produce something that will pass an openssl verify step. I can produce the certificates, but I must be getting mixed up in all the SSL lingo! These are my steps using a host that has IAM permissions to login to vault and generate the certs:

export VAULT_ADDR=https://vault.service.consul:8200
vault login -method=aws header_value=vault.service.consul role=provisioner-vault-role  
vault write -format=json pki_int/issue/firehawkvfx-dot-com \
common_name=deadlinedb.service.consul \
ttl=8760h | tee \
>(jq -r .data.certificate > /etc/ssl/mongodb_ca.pem) \
>(jq -r .data.issuing_ca > /etc/ssl/mongodb_issuing_ca.pem) \
>(jq -r .data.private_key > /etc/ssl/mongodb_ca_key.pem)
cat /etc/ssl/mongodb_ca_key.pem /etc/ssl/mongodb_ca.pem > /etc/ssl/mongodb_consolidated_certs.pem

but openssl verify will fail:

openssl verify -CAfile /etc/ssl/mongodb_issuing_ca.pem /etc/ssl/mongodb_consolidated_certs.pem
O =, CN = pki-ca-int
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/mongodb_consolidated_certs.pem: verification failed

Part of this workflow being replaced is provided here python - Self-signed SSL connection using PyMongo - Stack Overflow