Comment 1 for bug 1828407

Config is in
/etc/mysql/mysql.conf.d/mysqld.cnf

default disabled:
/etc/mysql/mysql.conf.d/mysqld.cnf:103:# ssl-ca=/etc/mysql/cacert.pem
/etc/mysql/mysql.conf.d/mysqld.cnf:104:# ssl-cert=/etc/mysql/server-cert.pem
/etc/mysql/mysql.conf.d/mysqld.cnf:105:# ssl-key=/etc/mysql/server-key.pem

I confirm that the permissions keys are created are root only:
# ll /var/lib/mysql/server-key.pem
-rw------- 1 root root 1675 May 10 07:29 /var/lib/mysql/server-key.pem

Actually that is just the default of the tool as it comes from upstream
And it has parameters for all you need:

Adding --uid mysql would make it do what you want.

If the defaults of the upstream tool should be changed that would IMHO be an upstream bug.
Unfortunately the user set up to use is not part of the ./configure call so I'm not sure how it would know.

wishlist from Ubuntu perspective, if you happen to file an upstream bug to change the default pelse mention it here so it can be tracked.