MicrosoftHi, I have an issue with a similar scenario.
I have enabled an API and did the configurations as described.
- Gateway settings done to negotiate client certificate
- added self-signed client certificate to API Certificate as root
- added policy to API to validate thumbprint
<choose>
<when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify() || context.Request.Certificate.Thumbprint != "B6D3BE73E79586474DCC1221A77937686E60979C")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
If first tested it with a self-signed certificate generated on Azure and it worked.
Now setting up the scenario with an external partner and his self-signed certificate it fails....
Questions:
Is there a way to figure out what thumbprint i am receiving. It's not shown in the insight logs.
Or other suggestions to validate the incoming API call?