Improved mutual certificate authentication for front-end / public endpoint
The current method of verifying client certificates is by hard-coding the certificate thumbprint into a conditional in the policy.
A better solution would be to be able to match the incoming thumbprint to ALL thumbprints in the uploaded SSL key stores. As described in the last paragraph here:
However, currently only the private certificates are exposed in the context variable (context.Deployment.Certificates) rendering the aforementioned code non-working.
Also, rather than using the APIM key store, why not allow the use of KeyVault for public certs? This would be especially useful if expiration notices were sent. See: https://feedback.azure.com/forums/906355-azure-key-vault/suggestions/37844218-support-storing-certificates-without-private-keys