Client certificate authentication not parsing username

So I have an ES cluster with a TLS enabled, however I can’t seem to hit any endpoints using the admin certificate and curl.
My security config file contains the following:

  type: "config"
  config_version: 2

    description: "Authenticate via SSL client certificates"
    http_enabled: true
    transport_enabled: true
    order: 1
      type: clientcert
        username_attribute: cn
      challenge: false
      type: noop

And so I am expecting it to pull the CN from the cert and use that as a username.
I also have the following config in my elasticsearch.yml

opendistro_security.ssl.http.clientauth_mode: REQUIRE
  - "CN=elastic-admin,OU=Application,O=MyOrg,L=GB"

However, after all the config and using the admin cert & key I get the following response:

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=CN=elastic-admin,OU=Application,O=MyOrg,L=GB, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/health] and User [name=CN=elastic-admin,OU=Application,O=MyOrg,L=GB, backend_roles=[], requestedTenant=null]"},"status":403}

Even attempting to ensure the subject is correct I have inspected the cert with openssl

[root@st-shared-es-0 bleasej]# openssl x509 -subject -nameopt RFC2253 -noout -in admin.crt
subject= CN=elastic-admin,OU=Application,O=MyOrg,L=GB

Turns out that the config changes I were making to the existing cluster (moving from basic auth to client cert) weren’t being picked up. I used to remove the security plugin settings and apply the new config. This sorted it all!