Under public key encryption two keys are required, a public key and a private key. A client contacts a Certificate Authority (CA) to obtain both of these keys. The public key is then provided to anyone who needs to send encrypted data to the client. The sender uses the this public key to encrypt the data and send it to the original client. On receipt, the client decrypts the message using the private key (which is the only key which can be used to decrypt the message since this is asymmetrical encryption.
So far we have looked at certificates in terms of encrypting data between parties where the public key is used to encrypt a message to a client and the client's private key is used to decrypt the message. When using certificates as a means of authentication this process is reversed. In such a situation the client encrypts its signature using its private key and sends it to the receiving system. If the sending client is who it claims to be the receiving system should be able to decrypt the signature using the client's public key. If the decryption using the public key fails, the sender is not who they claim to be and the authentication has failed.