Hi Huihua Jin,

Through the SSL/TLS handshake, the server sends its certificate to the client (in clear text) and verifies that it holds the corresponding private key using an authenticated key exchange.

For client-certificate authentication, it's not enough to send the certificate during the handshake: the client must also prove it owns the private key. Otherwise, anyone who receives that certificate could clone it. By using certificates, you prevent any cloning, thereby avoiding ever having to disclose your own secret (the private key).

Specifically, the client must sign the handshake messages in the Certificate Verify message of the TLS handshake so that the server can verify it against the public key contained in the client certificate. It would be impossible to authenticate a client certificate if this step did not take place.

Hope that answers your question.

Best,

Judith