Why certificate is not a secret in SSL authentication

Question

I'm reading about certificate-based authentication in SSL, and got a question about this process. (picture is taken from above link)

Question is: why server.cer and client.cer are not secrets. In this diagram, it seems that communication hasn't been encrypted when certs got exchanged, does this mean both certificates are exposed in plaintext? If so, why it's secure? Because in this way an adversary can easily obtain server's public key as well as its certificate, and impersonate the server. I think I misunderstood something. Please correct me.

Answer 1

Because in this way an adversary can easily obtain server's public key as well as its certificate

Correct.

and impersonate the server.

Incorrect. You need the private key as well as the certificate to impersonate the server.

The diagram you quoted isn't correct. Both sides will have not only a keystore but a truststore. The incoming certificates are checked against the local truststore; the outgoing certificate comes from the keystore.

given that the certificate is used to verify the public key belongs to the server

No. The certificate plus its digital signature is used to verify that the certificate belongs to the server. The digital signature is created with the private key. See the article you quoted.

However it isn't entirely correct. In the diagram, incoming certificates are checked against a local truststore, which is separate from the keystore. The session key is never exchanged (2.1 step 5).