Major - P3 A mongod configured with tlsCertificateSelector: "subject=Trusted Kernel Test Server" and tlsClusterFile: "jstests/libs/trusted-client.pem" ends up using the key in the certificate selector when connecting to other nodes, instead of the cluster key.
The output of logSSLInfo, indeed, shows that the key with subject "CN=Trusted Kernel Test Server..." is being used for both ingress (log id: 4913010) and egress (log id: 4913011):
{"t":{"$date":"2024-10-09T19:19:10.304+01:00"},"s":"I", "c":"NETWORK", "id":4913010, "ctx":"thread1","msg":"Certificate information","attr":{"subject":"CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US","issuer":"CN=Trusted Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US","thumbprint":"496B9987B8E7F5E5C1F998BC7D1AE9F4064ABE70","notValidBefore":{"$date":"2024-06-05T16:14:49.000Z"},"notValidAfter":{"$date":"2026-09-07T16:14:49.000Z"},"type":"Server"}}
{"t":{"$date":"2024-10-09T19:19:10.304+01:00"},"s":"I", "c":"NETWORK", "id":4913011, "ctx":"thread1","msg":"Certificate information","attr":{"subject":"CN=Trusted Kernel Test Server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US","issuer":"CN=Trusted Kernel Test CA,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US","thumbprint":"496B9987B8E7F5E5C1F998BC7D1AE9F4064ABE70","notValidBefore":{"$date":"2024-06-05T16:14:49.000Z"},"notValidAfter":{"$date":"2026-09-07T16:14:49.000Z"},"type":"Cluster"}}
A check needs to be added in here to account for the egress (client) certificate having already been set previously when processing the tlsClusterFile.