We want to use a self-signed certificates to authenticate APIs for two purposes:

1) Internal testing

2) Providing a certificate to external systems with a custom expiry date

When we import that as a trust anchor and import it into the proper user in the right FIP group, we still get the "Message was not processed: Authentication Failed (402)" error.

It seems in some cases the certificate requires being signed, why?

Release : 10.1

this error looks like its by design.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/security-configuration-in-policy-manager/identity-bridging/workflow-using-an-x-509-certificate.html

If you review the 3 scenarios on the bottom. It states that unless your using Scenario 2 which is attaching the cert only to the user. Scenario 3 is assumed and these certs must be signed.

Note under scenario 2.

"If trusted certificates are added to the FIP, the Layer7 API Gateway will assume you are using "Scenario 3: CA Certificate and Individual Client Certificates" instead."

And under scenario3

"The individual client certificates must be signed by the CA certificate."

But unfortunately it doesnt seem you can mix and match the FIP use cases. So either the cert will need to be signed or you would need a new FIP with a scenario 2 use case if you dont want to sign the cert in question.