Hello @dwang , the referred article shows how to create a REST API and consume it from B2C custom policies. Certificate authentication does not require an external password since it relies on the certificate key pair. Please follow the steps detailed in HTTPS client certificate authentication to implement it in your policies.
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.