How does authentication with client certificate work

Question

1. I am developing a service which I will deploy behind an ssl terminating proxy inside a private network.
2. SSL is NOT used inside the private network.
3. The client of my API wants to pass their certificate in a header. We are NOT going to use mutual TLS.
4. Once my service receives a request with a certificate in a header, how should I validate it?

My understanding is that:

1. The client's certificate will contain their identity, public key and a signature of a Certificate Authority.
2. Once I receive their certificate I should be able to verify that it is indeed legit with the public key of a Certificate Authority.

But how should I verify that the client is who they claim to be and not simply replaying the certificate? I could, in theory, challenge their certificate by encrypting something with their public key and then asking them to decrypt it but this will require additional steps.

Answer 1

Client will also send some signed content (say signed userid or signed token) and you can use public key to verify signature. If Signature is verified, it proves that sender owns the private key for the public key he had sent.