In Policy, some use cases may want to separate the ways in which the 'Require SSL' assertion handles the certificate. For example; the first branch of logic may check for the presence of the certificate, whereas the next branch checks again for the validity of that same certificate.
The problem is, if an expired certificate passes the first branch (which only checked for the presence of a certificate), it would actually pass the branch later down the line that checks for the validity of the certificate.
The Gateway does this almost as a 'caching' mechanism to reduce the overhead of policy. As it has already checked for the certificate, it pulls the same details from before (where we didn't check for validity) and it actually passes through even though a certificate may not be valid and is expired.
Instead of the second 'Require SSL' assertion checking for the validity, we can do a compare expression to check for the validity. The compare variable should look like the below:
This compare expression will take the cert validity using a built in context variable and compare it against the gateway time; essentially checking the validity of it and ensuring it is not expired.