In Lucee 5.x, the /lucee/tomcat/lucee-server/context/security/cacerts trust store is used. When you click the install button, it downloads the certificate change from the remote host and adds them to the Lucee trust store.
In Lucee 6.x this default has been changed and the JRE’s trust store will be used by default and the install button will do nothing.
The only pem you’d ever put in the trust store would be the ca-cert. Now, that said, it appears you’re attempting to do some sort of client cert auth and I have no idea how that works with JDBC drivers as I’ve never done it. Client certs go into your key store, which is not the same as your trust store.
It depends. Connection refused usually means the host or port is incorrect. Authentication is a process that happens once the underlying TCP connection is established. But again I’m unclear if you’re trying to use some sort of client cert auth, and it sounds like you don’t know either
Glancing at these docs https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html
it appears your client cert and private key would go in the key store which neither Lucee nor Java seem to define by default. I believe you’d need to use the Java system properties shown in the link above to point to a keystore containing your crt and key.