In mutual TLS, during client-authentication phase, a client proves its identity to the server by sending its client certificate (Certificate message). Additionally, it signs all previous handshake messages using its private key and sends the resulting hash (CertificateVerify message). Server uses this hash to validate client’s ownership of the certificate.
What is the security benefit of the doing CertificateVerify validation above? How cert can be compromised while key can’t?
A typical key storage/management logistics for client key+cert is “bundled”. Usually, when server issues client certificate to a particular client – it supplies key+cert (often bundled into a single P12 or PFX file, or PEM file with both parts concatenated), and all client APIs (OpenSSL, curl, Node.js request, etc.) expect both key and cert to be supplied. Therefore, a client reasonably deals with key and cert local storage/protection the same way.
Since they’re typically bundled – what benefit/reason there is for key-verification of a cert? Why supplying just cert would not be good enough?
Official definition and reasoning (which is not convincing to me, per the above):
