Great question Steven. I just wrote an article explaining how Certificate Authorities are able to verify that a remote server is who they claim to be at https://www.brandonchecketts.com/archives/how-do-clients-securely-connect-to-ssl-https-servers

That is more focused on HTTPS, since that is what people will be more familiar with, but the exact same steps are used for MySQL since it uses the same SSL libraries and root certificates on your system. As long as the remote system has a certificate that is signed by a trusted Certificate Authority, you don’t need to provide the server certificate to the client in advance.

But the part that I still don’t get is:
> If the certificate you used when setting up SSL is valid, and is trusted by the client attempting to establish a connection, then the connection attempt should succeed. The client does not need to present a certificate here, but it does need to trust the issuer of the certificate

Specifically the following sentence doesn’t make sense to me:
> This is generally done by having a copy of the CA certificate on your machine and verifying that the certificate presented by the server is signed/issued by the CA.This corresponds roughly to the –ssl-mode=VERIFY_CA and –ssl-mode=VERIFY_IDENTITY (which checks that the host name in the certificate matches the server you are trying to connect to).

How could my client trust the issuer of the certificate if, on my client machine, there is no copy of the CA certificate? In my /etc/my.cnf and ~/.my.cnf files there is nothing to do with `ssl-*` anything! My understanding of encryption is that both the client and the server need somehow access to the same key of sorts — this (https://security.stackexchange.com/questions/73244/can-we-have-https-without-certificates) answer seems to mention something about DH_anon but I don’t quite get whether that has anything to do with anything 😛 . But I’m confused since in this case my server may have some files that I’ve generated with openssl but my client has none of those files!