Assume you’ve already verified your certificates and keys on the sever side (checksum should be the same):

openssl x509 -noout -modulus -in mycert.pem
openssl rsa -noout -modulus -in mykey.pem
mysql> show variables like "%ssl%";
+---------------+-------------------------------------------+
| Variable_name | Value                                     |
+---------------+-------------------------------------------+
| have_openssl  | YES                                       |
| have_ssl      | YES                                       |
| ssl_ca        | /etc/mysql-ssl/2018/myca.pem      |
| ssl_capath    |                                           |
| ssl_cert      | /etc/mysql-ssl/2018/mycrt.pem |
| ssl_cipher    |                                           |
| ssl_crl       |                                           |
| ssl_crlpath   |                                           |
| ssl_key       | /etc/mysql-ssl/2018/mykey.pem |
+---------------+-------------------------------------------+

The file under “ssl_ca” has to be located on the client end as well.

On the client side, some versions of MySQL require a connection with a specified “ssl-ca.” This is an example of a client connecting to a MySQL 5.6 server:

mysql -udbuser -p --ssl-ca=/etc/mysql-ssl/2018/myca.pem -h database-server.com

This will have to be included in all your clients connecting from the outside. For example Ruby:

       CLIENT = Mysql2::Client.new(
                  :host     => "database-sever.com",
                  :username => "dbuser",
                  :password => "password",
                  :database => "my_db",
                  :socket   => "/var/run/mysqld/mysqld.sock",
                  :reconnect => "1",
                  :sslca     => "/etc/mysql-ssl/2018/myca.pem")

Hope that helps!