When you connect to MySQL through an SSL connection why do you pass the server side certificates as the parameters? I would have thought that (like with HTTPS) you would have a client side key and then do all the SSL handshakey stuff from there. But when you connect to MySQL with SSL you use:
mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
But the client key is coming from the server but I would have thought it came from the client?
It then leads onto the question about REQUIRE ISSUER (for example). Surely you only have a choice of using the same certificate the server issues so why would you ever need that parameter?
"If the client presents a certificate that is valid but has a different issuer"
How would the client ever present a certificate that was different?
Maybe I'm missing something obvious so apologies if this is a stupid question.
The key here is that the client certificates must be manually copied to the client and used in the connection process. I hope that helps anyone else who didn't find this!