Description:
As SSL/TLS provides both connection security and peer verification it is best for it to be setup by the administrator of the server. However many servers run completely without SSL and neither support connnection security or peer verification.

For the SHA256 password authentication to work either SSL is needed or a RSA keypair must be generated.

Many user don't known the correct settings for the CREATE USER and/or GRANT syntax. So users think they have configured and required SSL and that the client certificate will be checked, but this might nog be the case (REQUIRE SSL vs. REQUIRE X509).

How to repeat:
See description.

Suggested fix:
1. The server could generate or ship a default SSL certificate and thus provide at least the option to secure the connection. 

2. The RSA keypair for the SHA256 authentication should be generated during the installation, just like OpenSSH does.

3. A script could be shipped with the server or the mysql utilities. Then the script can be used as a wizzard to generate the keys, certificates and maybe even the client certificates and then provide the user with the correct settings for the configuration or grant syntax.

An example for how the SSL certs could be generated:
https://github.com/dveeden/myssl

Thanks for the very valid suggestion, Daniël!  We've had a series of internal discussions about this, and one proposal is to generate SSL certs and RSA keys to a default (secure) location at server startup if they don't already exist, and the server is not provided with explicit SSL options.  I assume that would be an acceptable solution, here, but please let us know if you think it needs something else.

@Todd: That would be great.

This feature is implemented in MySQL 5.7.6, and the following blog post describes the generation process of key material in greater detail:

http://mysqlblog.fivefarmers.com/2015/04/09/ssltls-in-mysql-5-7/

Thanks for the feature request!