MySQL JDBC force ignore client certificate on AWS RDS
You can force MySQL to use no client certificate by setting an empty keystore in the connection URL.
The problem I had above was a variant of https://bugs.mysql.com/bug.php?id=36948 -- if you set "clientCertificateKeyStoreUrl" in the connection URL but not also "trustCertificateKeyStoreUrl" (and the 4 other params below), then MySQL will crash with "TrustManagerFactoryImpl is not initialized" instead of a more helpful error.
You can create an empty keystore with a command like:
keytool -genkey -alias foo -keystore empty.jks # (set password "changeit")
keytool -delete -alias foo -keystore empty.jks
Then connect to MySQL with a URL like:
jdbc:mysql://my-server-id.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:empty.jks&clientCertificateKeyStorePassword=changeit&clientCertificateKeyStoreType=JKS&trustCertificateKeyStoreUrl=file:/etc/pki/cosmos/current/client.jks&trustCertificateKeyStoreType=JKS&trustCertificateKeyStorePassword=changeit
All 6 keystore args are required, even if you want the defaults, otherwise you will see the "TrustManagerFactoryImpl is not initialized" error