Environment- Single Splunk 7.3.9 search head / indexer with FIPS_MODE=1

etc/system/local/server.conf

[sslConfig]
sslRootCAPath = $SPLUNK_HOME\etc\auth\mycerts\consolidatedCA.pem

[kvstore]
serverCert = mycerts\kvstore_consolidated.pem
sslPassword = <password_for_private_key>

the "kvstore_consolidated.pem" contains my private key, and the server cert.

Issue: kvstore fails to start. (log below from splunkd.log)

07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not get ping from mongod.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreConfigurationProvider - Could not start mongo instance. Initialization failed.
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. Failed to start KV Store process. See mongod.log and splunkd.log for details..
07-19-2021 11:06:35.763 -0400 ERROR KVStoreBulletinBoardManager - Failed to start KV Store process. See mongod.log and splunkd.log for details.

mongod.log 

2021-07-15T14:36:03.080Z E NETWORK  [conn941] SSL peer certificate validation failed: unsupported certificate purpose
2021-07-15T14:36:03.080Z I NETWORK  [conn941] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 127.0.0.1:52128 (connection id: 941)

so it seems like the server is trying to make loopback requests and trying to act as both the server and the client in SSL comms.

In reading this , (while its not the same issue), the suggestion is to have the CA sign the CSR so its both client and server. 

Before I go down this road (the CA I am using does not seem to support this- it can only sign as  either "user" or "server"), just want to see if anyone else have ran into this? 

I also tried the server.conf settings in this article, but with same results:

https://splunkcommunity.com/wp-content/uploads/2019/11/FIPSConf_Final.pdf