We currently assume certificate subject distinguished names are on the form:

CN=andreas.my, OU=Developers, O=MongoDB C=US

and use a simple substring comparison to determine if the organizational part of the DN is matching. To make the comparison more resilient we should instead parse the DN and match the relevant attributes O, OU, DC that together makes up the cluster id.

Originally we wanted to match C but that might possibly break geo-clusters.