The Java buildpack will automatically enable mutual TLS for most application initiated TLS connections. This functionality is added by the Container Security Provider, which contributes a KeyManagerFactory that adds an additional KeyManager, which in turn adds the Diego Instance ID cert ($CF_INSTANCE_CERT and $CF_INSTANCE_KEY) for use with outgoing connections.

The Container Security Provider's behavior can be bypassed though. This happens when applications are making TLS connections and not using the default SSLContext. When bypassed, it is entirely up to the application how the SSLContext is configured and the application would need to specifically configure use of the Diego Instance ID cert for mutual TLS.

The most notable case where this occurs is when using newer versions of the MySQL JDBC Driver. Newer versions of the 5.1 and 8.0 branches (observed specifically in 5.1.48 & 8.0.18) of the MySQL JDBC Driver exhibit this behavior, creating a custom SSLContext.

To configure mutual TLS for the MySQL JDBC driver, you would need to specify these additional configuration options:

clientCertificateKeyStoreUrl=file:path/to/mysqlclient-keystore.p12 
clientCertificateKeyStorePassword=changeit
clientCertificateKeyStoreType=PKCS12

or

clientCertificateKeyStoreUrl=file:path/to/mysqlclient-keystore.jks 
clientCertificateKeyStorePassword=changeit

See docs for further details: MySQL JDBC Connector docs.

The mysqlclient-keystore.p12 or .jks will need to be bundled up in your JAR/WAR. The path will need to be adjusted, based on where you add this file in your JAR. The relative path will be from the root of your JAR/WAR.

There is not presently a way to point the MySQL JDBC driver at the Diego Instance ID cert because it is not supplied in either PKCS12 or Java keystore format.