How to produce certificates for use with mongo

I’m figuring out how to use Vault to replace shell scripts that previously generated certificates for use with mongodb, but my knowledge of SSL is not good enough to know how to produce something that will pass an openssl verify step. I can produce the certificates, but I must be getting mixed up in all the SSL lingo! These are my steps using a host that has IAM permissions to login to vault and generate the certs:

export VAULT_ADDR=https://vault.service.consul:8200
vault login -method=aws header_value=vault.service.consul role=provisioner-vault-role  
vault write -format=json pki_int/issue/firehawkvfx-dot-com \
common_name=deadlinedb.service.consul \
ttl=8760h | tee \
>(jq -r .data.certificate > /etc/ssl/mongodb_ca.pem) \
>(jq -r .data.issuing_ca > /etc/ssl/mongodb_issuing_ca.pem) \
>(jq -r .data.private_key > /etc/ssl/mongodb_ca_key.pem)
cat /etc/ssl/mongodb_ca_key.pem /etc/ssl/mongodb_ca.pem > /etc/ssl/mongodb_consolidated_certs.pem

but openssl verify will fail:

openssl verify -CAfile /etc/ssl/mongodb_issuing_ca.pem /etc/ssl/mongodb_consolidated_certs.pem
O = firehawkvfx.com, CN = pki-ca-int
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/mongodb_consolidated_certs.pem: verification failed

Part of this workflow being replaced is provided here python - Self-signed SSL connection using PyMongo - Stack Overflow

if you managed to solve it, could you please share the solution?

Since I use mongo for AWS Thinkbox Deadline, I used a partial solution provided by them to generate the certs and to configure deadline (mongo) to accept the certs for auth. I didn’t end up using vault to do this, but there might be enough information to decipher how to do it with vault from here:

Any of the functions with name generate_certs in bash here provide the bread crumbs I used to install deadline and mongo with no authentication initially, and then post configure it to use a cert.