As we know mutual TLS needs both truststore and keystore at the server and client-side. In Mutual TLS API call Apigee stores client certificate in its own truststore and the client stores that of the server.

Entrust is a Certificate Authority accepted worldwide. In Apigee truststore we store the client's client certificate, intermediate certificate, and root certificate in sequence in a single file or in different pem files. Apigee mainly needs the chain certificate and root certificate. When we use the Entrust certificate, Entrust provides the chain and root certificate same for all its users. So, this creates confusion like anyone having entrust client certificate can request using Mutual TLS. To overcome this issue we need to add another policy in Apigee proxy to validate the CN name of the certificate against KVM or any store where the CN matching check can happen. You can use KVM, service callout or any other security add on to the TLS here.