We would like to have the consumer use a client certificate to authenticate themselves while making an API call (API hosted on Edge)

Currently, we have our API that can be authenticated via an API key (we have used a Verify API Key policy to do this).

However, what we would like is that the client certificate is validated (by some layer before the API proxy) and only such authenticated API calls are forwarded into Edge. Certificates that cannot be validated will be rejected as unauthorized.

Furthermore, client identifiable information (such as cname?) should be passed into the API so that the API is able to correlate any data read / written to the specific client that made the call. Would be ideal if the resolved client information is passed into the API as flow variables (as opposed to receiving it via request params)

We are able to get bits and pieces of information that such a thing is possible, but are unable to put the pieces together to get something working end-to-end. If someone has done this, or knows what needs to be done to get the full scenario working, please let us know.

(also requested by - @seshi)