The prerequisites section of the documentation for queryable restores references a PEM file that needs to be configured, though the only way to get any details of what this file should be is by clicking on the field name itself which links to the configuration reference here.

The description for this parameter is then unclear about what the PEM file should contain, and simply states:

The Certificate Authority (CA) PEM file that contains one or more trusted certificates. Corresponds to brs.queryable.pem in the configuration file setting.

Somewhere here we should mention that this CA PEM file should contain both the public certificate, as well as the private key, and look something like:

-----BEGIN CERTIFICATE-----
...truncated...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...truncated...
-----END RSA PRIVATE KEY-----

Without this clarification, we have to add an additional note every time we link to the docs for enabling queryable restores. Otherwise, the customer may think that it is enough to have just the public certificate in the pem file, as is normal for every other mongod or Ops Manager config where the CA.pem file does not need to contain the key.

Here is an error from Ops Manager if it is unclear where I got this requirement from:

2018-04-23T23:12:57.690+0000 [ProxyServer-25999] ERROR com.xgen.svc.brs.web.svc.BackupSnapshotQuerySvc [BackupSnapshotQuerySvc.java.reloadPEM:132] - Failed to load PEM file for backup tunnel.
java.lang.RuntimeException: Certificate and private key must be in PEM file. File: /etc/ssl/certs/ca.pem