Disclaimer: I assume you're using MySQL 5.7. Things described below can work on earlier versions too, but it'd be partially and maybe you'd need to use now obsolete options.

I suggest you consider using the mysql tools to generate the certificates needed: https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html

At a glance what's missing from your script above is the server/client certificate signing by the self-signed CA.

You also only configured SSL on the server. The client is left to its defaults. The defaults are good (--ssl-mode=preferred). But they are not perfect (i.e. if the SSL establishment fails for any reason it'd happily fall back to a non-encrypted connection.

So I'd consider doing --ssl-mode=required or even --ssl-mode=verify_ca/verify_identity ...

See https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html#option_general_ssl-mode for more details.

This would of course require at least a CA certificate on the client too.