CertificateVerify describes a Step within the TLS Handshake process.

The user-agent sends a digital signature computed by the user-agent over all previous handshake messages.

The CertificateVerify message is ONLY sent when the server requested a user-agent certificate that has signing capability (i.e. all certificates except those containing fixed Diffie-Hellman parameters) and the user-agent complied.
When sent, it will immediately follow the ClientKeyExchange.

This is how the user-agent proves to the server that it really "owns" the Public Key which is encoded in the certificate it sent in the CertificateRequest.

Structure of this message:

struct {
    Signature signature;
} CertificateVerify;



In TLS the CertificateVerify process is where the user-agent sends the Digital Signature computed by the user-agent using its Private Key over all previous handshake_messagess, including the type and length fields of the handshake_messagess, starting at ClientHello up to but not including this CertificateVerify message to the server in an unencrypted message.

The Next Step the user-agent sends the change_cipher_spec in an unencrypted message.

More Information#

There might be more information for this subject on one of the following: