SERVER-52708 and SERVER-52709 make donorStartMigration and recipientSyncData take in donor and recipient certificate and private key PEM blobs for the migration. But both commands currently only validate the format of input PEM blobs (using the IDL validator) and do not validate upfront that the PEM blobs correspond to a valid X.509 certificate and private key pair. As a result, the commands don't fail with InvalidSSLConfiguration until the donor or the recipient try to create an SSL context to connect to each other, which is after the migration has already started. To avoid wasted work, the certificate-key pair validation should be done upfront.