1 Client Certificate

A client digital certificate or client certificate is basically a file, usually protected with a password and loaded unto a client application (usually as PKCS12 files with the .p12 or .pfx extension).

A client certificate would typically contain pertinent information like a digital signature, expiration date, name of client, name of CA (Certificate Authority), revocation status, SSL/TLS version number, serial number, and possibly more, all structured using the X.509 standard.

At the start of a SSL or TLS session, the server (if configured to do so) may require the client application to submit a client certificate for authentication. Upon receiving the certificate, the server would then use it to identify the certificate's source and determine whether the client should be allowed access.

Actually, popular Web browsers like Firefox, Chrome, Safari, and Internet Explorer can readily support client certificates. These digital certificates can also be loaded unto secure file transfer clients like AnyClient as well as to other client applications that support SSL/TLS-protected protocols like HTTPS, FTPS, WebDAVs, and AS2.

Don't confuse client certificates with server certificates. Both are digital certificates that involve client and server applications but they're two different things. A server certificate is sent from the server to the client at the start of a session and is used by the client to authenticate the server. A client certificate, on the other hand, is sent from the client to the server at the start of a session and is used by the server to authenticate the client.

Reference:

https://www.jscape.com/blog/client-certificate-authentication

1.1 Process

Client certificate authentication (if ever applied) is carried out as part of the SSL or TLS handshake, an important process that takes place before the actual data is transmitted in a SSL or TLS session. Here's a simplified illustration that includes that part in the process.

1. First, the client performs a "client hello", wherein it introduces itself to the server and provides a set of security-related information.
2. The server responds with its own "server hello", which is accompanied with its server certificate and pertinent security details based on the information initially sent by the client. 
3. This is the optional step that initiates client certificate authentication. This will only be carried out if the server is configured to request a digital certificate from the client for the purpose of authentication.
4. Before this step is performed, the client inspects the server certificate for authenticity. If all goes well, it transmits additional security details and its own client certificate.