1) break tutorial into 2 separate
2) add clarification that client certificates are expected to be issued to a different O, OU or DC in order to NOT be considered cluster certificates identifying a server.
3) a clarifying sentence explaining that there is a one to one matching between a MongoDB user and a user/client certificate. They somehow had the idea that a machine acting as a "client" could have a certificate and automatically authenticate a number of different users with it.