It's not the routing I'm concerned so much with since that will be more fixed list that even manually shouldn't be too bad.
My concern is more the Client Certificate Authentication. We accept certificate authentication from numerous possible chains, so long as it chains to a trusted root then it can be used to authenticate on the front-end.
So basically: Trusted Issuer --- TLS client cert auth ---> API Gateway (validates OID, chain, revocation) --- Proxy --> App Back-end
To have the trust established for the client cert auth we have to walk the full path up to the root. This means maintaining the roots and the intermediates.
Manually managing that many certificates can be a pain doing it via GUI. I was hoping some automated way to handle it since there are some months we have to make quite a few updates and has to be quick so that once a new CA/Intermediate is identified then we have to start accepting those certs as quick as possible so that authentication succeeds.
It wouldn't be end of the world to do it via the GUI if we can import the full PEM or JKS file, just the more we can automate these little time consuming operational tasks the better . Rather the admins spend time on enhancements than clicking through buttons for certs.