Simply put, Client Certificate Authentication, also know as Mutual Auth, is when a client and a server establish a secured connection using a public/private key pair on the server and a public certificate on the client.

Let's say there is a web server that produces HTTPS web pages, such as https://www.example.com. When a client submits a request to get a web page from the web server, here is how the TLS handshake should occur without mutual auth.

1. The client sends a "Client Hello" packet to the server.
2. The server sends it's public certificate to the client (e.g. server.cer) in a "Server Hello" packet.
3. The client validates the public certificate against it's list of trusted certificate authorities (CA), and if the servers public certificate has been issued by a trusted certificate authority, the client sends the server a premaster secret (random string of data). The premaster secret is encrypted with the servers public certificate (e.g. server.cer). The client adds the servers public certificate it its store of trusted public certificates.
4. The server decrypts the premaster secret with the servers private key.
5. The client generates a session key and sends the server a FIN (finished) packet.
6. The server generates a session key and sends the client a FIN (finished) packet.

And here is how the TLS handshake should occur with Mutual Auth.

1. The client sends a "Client Hello" packet to the server.
2. The server sends it's public certificate to the client (e.g. server.cer) in a "Server Hello" packet.
3. The client validates the public certificate against it's list of trusted certificate authorities (CA), and if the servers public certificate has been issued by a trusted certificate authority, the client sends it's public certificate to the server (e.g. client.cer). The client also sends the server a premaster secret (random string of data). The premaster secret is encrypted with the servers public certificate (e.g. server.cer). The client adds the servers public certificate it its store of trusted public certificates.
4. The server decrypts the premaster secret with the servers private key. The server adds the clients public certificate it its store of trusted public certificates.
5. The client generates a session key and sends the server a FIN (finished) packet.
6. The server generates a session key and sends the client a FIN (finished) packet.