client cert with public key
We have a scenario that we would like to use Azure APIM to replace another vendors API GW in use today. However, there is a serious flaw in APIM that prevents us to do so. Many of our web services (this is healthcare so a bit more old school) are secured by client cert auth. If the public cert isn't in our API GW store and authorized for the web service then the authentication/authorization is rejected.
Azure APIM currently (as far as I can tell) only allows certs with private keys to be loaded for validation using the cert store policy. There is no way to upload certs with public keys only. This goes against the purpose of PKI...hold the private key in private and only exchange the cert with public key. If I need to have my customers load their private certs...that is broken.
Request is to have APIM support loading certs with public keys (no private keys) and a policy that can validate requests against that client cert store. If that is implemented we can move to APIM. Until then we have to use another vendors API GW solution.