CertificateRequest
TLS handshake message that requests a client certificate, the core of mTLS.
Definition
By default TLS authenticates only the server. By sending CertificateRequest, the server signals it also requires a client certificate: the client replies with its Certificate and CertificateVerify messages. This is precisely the message that turns plain TLS into mTLS, ubiquitous between PEPPOL AS4 access points and on secured B2B APIs. The message carries the accepted signature algorithms and, in TLS 1.2, the list of trusted certificate authorities.
Origin
Specified in RFC 8446 §4.3.2 (TLS 1.3) and previously RFC 5246 §7.4.4 (TLS 1.2), published by the IETF.
Example in context
The receiving PEPPOL access point sends CertificateRequest; the sender then supplies its X.509 certificate and the AS4 connection becomes mutually authenticated mTLS.