CertificateVerify describes a Step within the TLS Handshake
The user-agent sends a digital signature computed by the user-agent over all previous handshake messages.
The CertificateVerify message is ONLY sent when the server requested a user-agent
certificate that has signing capability (i.e. all certificates
except those containing fixed Diffie-Hellman parameters) and the user-agent
When sent, it will immediately follow the ClientKeyExchange
This is how the user-agent proves to the server that it really "owns" the Public Key which is encoded in the certificate it sent in the CertificateRequest.
Structure of this message:
In TLS the CertificateVerify process is where the user-agent sends the Digital Signature computed by the user-agent using its Private Key over all previous handshake_messagess, including the type and length fields of the handshake_messagess, starting at ClientHello up to but not including this CertificateVerify message to the server in an unencrypted message.
The Next Step the user-agent sends the ChangeCipherSpec in an unencrypted message.
There might be more information for this subject on one of the following: