How it works1. Mutual authentication starts with handshaking.
2. The client sends a «client hello» message to the server, including cryptographic information, to which the server responds with a «server hello».
3. Client message is cryptographic information like SSL/TLS, Cipher Suites that depends on the preferences of the client, and data compression methods that are supported by the client.
4. The server chooses SSL/TLS, Cipher Suite, and data compression method from the client list to provide the client with a response that also contains the Session ID and Client certificate request.
5. Then the server sends to the client its digital certificate containing the server public key. The "Server Hello Done" message is to follow.
6. The client verifies the certificate chain, expiration date, and certificate revocation status and afterward sends a random string of data encrypted with the server public key.
7. The data is to be decrypted by the server with the usage of its private key and used by both Client and Server. They generate a symmetric key which they need to encrypt/decrypt data.
8. The server performs client validation using a client digital certificate containing a client public key. The "Certificate Verify" message follows. It contains the digitally signed copy of the previous message and is signed with the usage of the client's private key.
9. The server verifies digital certificate, namely certificate chain, expiration date and certificate revocation status, and "Certificate Verify" message with the client public key.
10. Handshake is complete and the process of sending application data begins. Both Client and Server send the finished message encrypted with the symmetric key.
The whole point of the Mutual authentication process is to gain trust between two sides so that they can perform communication-related functions.