At present if we want to pass the client certificate to backend provider for mTLS, we will upload the client private key in Gateway, and then will configure the same private key at route via assertion to pass it to backend provider. But is there any way to pass the incoming client certificate from request to the backend provider as it is?

We have a requirement, that we need to pass a request from DC-01 to DC-02. The API in DC-01 doesn't have client-cert validation, but the API in DC-02 have client-cert validation enabled. And the entity doesn't want to share the private key to be installed in gateway. The entity will trigger the request to DC-01 with client certificate, and we need to pass the same certificate in the routing from DC-01 to DC-02.

DC= Data center 

All supported versions of API gateway

The standard method for mutual TLS (mTLS) involves configuring the Gateway to present a client certificate to the backend service, which does require uploading the client certificate and its private key to the Gateway.

However, in scenarios where the client certificate used by the incoming request needs to be forwarded to the backend—without the Gateway possessing the private key—this direct forwarding isn't natively supported due to security constraints and the nature of TLS handshakes.