此处的PHP(和mysqli_real_connect)是客户端而不是服务器.您正在使用mysqli_ssl_set对其进行配置，以进行客户端证书身份验证(并使用服务器密钥和证书).

Here PHP (and mysqli_real_connect) is the client not the server. You're configuring it with mysqli_ssl_set for client-certificate authentication (and using the server key and certificate).

我不确定您是如何配置MySQL服务器的，但是在配置的(MySQL)服务器部分中应该有类似的内容:

I'm not sure how you've configured your MySQL server, but there should be something like this in the (MySQL) server section of the configuration:

ssl-key=/mysql-ssl-certs/server-key.pem
ssl-cert=/mysql-ssl-certs/server-cert.pem
ssl-ca=/mysql-ssl-certs/ca-cert.pem

无论如何，这些都不属于客户端(只有CA证书才属于客户端，但绝对不是服务器的私钥).

These don't belong to the client side anyway (only the CA certificate does, but definitely not the server's private key).

完成此操作后，您可以尝试使用命令行客户端查看服务器是否配置正确:

Once you've done this, you can try to see if the server is configured properly using the command line client:

mysql --ssl-verify-server-cert --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...

或者也许是这样(尽管应该确实启用验证服务器证书以使SSL/TLS有用)

or perhaps this (although verify server cert should really be enabled for SSL/TLS to be useful)

mysql --ssl-ca=/mysql-ssl-certs/ca-cert.pem --ssl -h hostname ...

这至少应该在命令行上起作用.

This should work at least on the command line.

然后，从PHP中，您有两个选择:

Then, from PHP, you get two options:

• 像以前一样使用mysqli_ssl_set，但是将$key和$cert保留为空，除非您要使用确实与服务器证书不同的客户端证书. (我不记得这是否有效.)

• 可能更容易，完全省略mysqli_ssl_set并在全局MySQL客户端配置文件中进行配置(PHP应该可以在其中拾取它，可能是/etc/mysql/my.cnf，但这取决于您的发行版):

• use mysqli_ssl_set like you've done, but leaving $key and $cert null, unless you want to use a client-certificate which really ought to be different from your server certificate. (I can't remember whether that works.)

• possibly easier, omit mysqli_ssl_set altogether and configure this in your global MySQL client configuration file (where PHP should be able to pick it up, possibly /etc/mysql/my.cnf, but this may vary depending on your distribution):

[client]
ssl-ca=/mysql-ssl-certs/ca-cert.pem

(这类似于服务器配置，但在客户端/客户端部分).

(This is similar to the server config, but on the client side/in the client section.)

对于授权部分(GRANT):

• REQUIRE SSL仅需要使用SSL/TLS
• REQUIRE ISSUER，REQUIRE SUBJECT和REQUIRE X509要求客户端出示客户端证书以与所需值进行比较(在这种情况下，您需要在客户端上使用ssl-key和ssl-cert侧面(配置或在mysqli_ssl_set中).

• REQUIRE SSL only requires the use of SSL/TLS
• REQUIRE ISSUER, REQUIRE SUBJECT and REQUIRE X509 require the client to present a client-certificate to compare to the required values (that's the case where you'd need to use ssl-key and ssl-cert on the client side (config or within mysqli_ssl_set).