At minimum, what is required in the client-side keystore to enable mTLS?

Mutual TLS requires the client to prove its identity with a certificate that is bound to a private key. Therefore the client-side keystore must contain the private key and the corresponding certificate. The private key is used during the TLS handshake to prove possession of the key, while the certificate provides the public key and identity that the server can verify, assuming a trusted certificate authority or a trusted self-signed certificate is in place. If you only have a server certificate, or only a public key, there’s no mechanism to demonstrate possession of the private key or to tie an identity to a key pair. A pre-shared secret isn’t what mTLS relies on for the client’s identity in the keystore. In practice, the certificate can be self-signed for development, but what matters is that it matches the private key and is trusted by the server.