How is the client presented with the server certificate using AWS mutual TLS?
Reading this post, I'm trying to understand how mutual TLS works in AWS. I think I understand the most parts but what is unclear to me is the arrow going from AWS Certificate Manager to the client. I'm guessing this is the server certificate presented to the client.
But does the client need to actively request this or is it handled automatically by the TLS handshake during the call to the API?
The line from ACM to the client in the diagram is just ACM issuing the client certificate. It wouldn't make much sense (from a security perspective) for the client to go somewhere else than the server to get the server certificate.
SSL/TLS certificate validation happens during the SSL handshake when the TCP connection between the client and server is initially established.