I'm setting up Azure API Management to secure a Logic App with a certificate. I've added the following policy to the API:
<choose>
<when condition="@(context.Request.Certificate == null || !context.Request.Certificate.Verify() || context.Request.Certificate.NotAfter<DateTime.Now || !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint))">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
When I add the self-signed certificate, I can only make a successful call to the API when the certificate is added to both the CA certificates and Certificates. Otherwise I get an invalid certificate warning (the one from my policy) in Postman
Question I don't believe this is normal behaviour and am sure I have done something incorrect. How do I correctly add the certificate to APIM and ensure it is used correctly?
