ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

CertificateRequest

TLS handshake message that requests a client certificate, the core of mTLS.

Definition

By default TLS authenticates only the server. By sending CertificateRequest, the server signals it also requires a client certificate: the client replies with its Certificate and CertificateVerify messages. This is precisely the message that turns plain TLS into mTLS, ubiquitous between PEPPOL AS4 access points and on secured B2B APIs. The message carries the accepted signature algorithms and, in TLS 1.2, the list of trusted certificate authorities.

Origin

Specified in RFC 8446 §4.3.2 (TLS 1.3) and previously RFC 5246 §7.4.4 (TLS 1.2), published by the IETF.

Example in context

The receiving PEPPOL access point sends CertificateRequest; the sender then supplies its X.509 certificate and the AS4 connection becomes mutually authenticated mTLS.

  • mTLS — the outcome triggered by this message.
  • X.509 — format of the requested client certificate.

Last updated: June 20, 2026