also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as
"When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca=
parameters with --ssl."
SSL certificate chain validation and revocation list handling in Schannel are broken.
--ssl-ca and --ssl-crl do not work as expected in Schannel.
The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file.
What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store.