The code for reading certs/keys in AddClientCertFromFile doesn't handle encrypted .pem data. I've done this on a fork of the TLS config code I'm using for TOOLS-1948 and integrating it back to the Go driver should be straightforward once the refactoring is complete.

Suggested steps:

• Add an SSLCaFilePassword option
• Pass both SSLCaFile and SSLCaFilePassword to AddClientCertFromFile
• Within AddClientCertFromFile, use x509.DecryptPEMBlock if an encrypted PEM file is found