I have been working to find a solution for my company to secure access to APM. We are wanting to check for a cert on all devices accessing the the APM for authentication and only allow those with the cert. I currently have it working across the board with our public cert installed on my devices, but we want to use a self-signed cert to push to the masses, but still retain our public cert for HTTPS on the portal site.
It seems like this should be something the F5 could handle, but I didn't have any luck searching DevCentral or attempting to add additional profiles to my VIP. Any help would be greatly appreciated.
You may find what you are looking for in the Client Authentication section of the Client SSL profile.
In this section, you can activate Client Certificate Authentication (require, request or ignore)
And you can also define the trusted CAs. In your case, it's your Self Signed certificates
But it's not recommended to use self signed certificates for client authentication because you can't manage revocation status natively. You have to write an irule to retrieve the serial number of the certificate used by the client and check against a daagroup if it's valid or not.
Here a useful link : https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication
Hope it helps