What is a certification base authentication (aka SSL/ TLS Server | Client | Mutual authentication or Identity Certificate) ?
About
A certification-base authentication is a asymmetric authentication method that verify the identity via certification validation.
A signed certificate is presented to the application (server or client) that verifies it against a list of authorized Certificate Authority (CA). If the certificate is valid, the server/client is authenticated.
This server and client certificate validation is done during the SSL handshake.
Flow
The server authentication is mandatory for SSL (ie while the client one is optional).
Server Authentication
To enable SSL on a server (and any protocol based on it such as HTTPS), the server needs to present a digital certificate known as Server Authentication
- The server authenticate him-self to the client by sending a digital certificate signed by a CA that is in the list of trusted CA.
- The client verifies it
For more information, see the dedicated page: How to enable SSL on a server (ie HTTPS on a web server) ?
Client Authentication
Client certificate authentication uses the same mechanism but the other way around.
- The client authenticate him-self to the client by sending a digital certificate signed by a CA that is in the list of trusted CA
- The server verifies it
Because every client with a valid certificat can login, you need to keep a list of valid certificat if you need to revoke it later.
For more information, see the dedicated page: What is a client certificate authentication ? (SSL/TLS Web)