As recommended over here, I am toying with enabling Azure API Management (APIM) as a way to reduce unwanted traffic to an HTTP-triggered Azure Function.
The idea is to use APIM as a means to force the endpoint server (managed by Microsoft) to reject unknown requests (those not in the APIM "Trust Store" (for lack of a proper term)) before they are forwarded to the Function's application code.
In the APIM docs, there are examples of checking the client-cert thumbprint, issuer and subject, but no examples of creating an OCSP request and validating the response to show the client-cert has not been revoked.
I am already handling this in the application code, but don't want to split client-cert validation logic between APIM and the app code. Needs to be all handled in APIM.
How do I use the APIM xml syntax to generate an OCSP request and decode its response to determine cert revocation status?
Is it even possible?
