By setting TLSVerifyClient to anything different than never you allow mutual TLS.
As implied already in the name: mutual SSL/TLS requires that both client and server authenticate themselves with certificates.
The mechanism of TLS client authentication (only) sends the client certificate over TLS, as part of the authentication handshake.
On the server that requires and means you can't do without:
- a server certificate
TLSCertificateFile
- the associated private key
TLSCertificateKeyFile for the server certificate
- additionally the certificate authority that is trusted to issue client certificates is needed.
TLSCACertificateFile <filename> OR TLSCACertificatePath <path>
As a nice curiosity: the certificate authority that is trusted to issue client certificates does not have to be same one that issues the server certificate. Typically it is not. Your server certificate for example is issued by Let’sEncrypt and you would use an internal CA for client certificates.
On the client you first need to trust the CA certificate (chain) used to issue the server certificate. Often that doesn’t need to be configured explicitly as the system defaults for the client often already have the correct trusts built in. That is governed by the client settings: TLS_CACERT and/or TLS_CACERTDIR.
Then for the client to identify itself with mutual TLS it needs its own certificate and associated private key. Set with TLS_CERT respectively TLS_KEY directives.
