Client SSL Cert requirements

Hopefully a straightforward, simple question. This is on 9.4.8, if that makes a difference. When you set Client Certificate Required on a ClientSSL profile, what are the _minimium_ usage/contraints on the certificate? For example, if you generate a cert using OpenSSL, and just hit enter-enter-enter through all the prompts, you get a cert that is suitable for everything - for instance Digital Signature, Encipherment, etc. in Key Usage. The public cert from that works perfectly fine as a client certificate for one-to-one client cert authentication. If you generate a very tightly defined cert, for instance Key Usage only allows Encipherment, neither the F5 or browsers (IE, Chrome, Firefox - tried 'em all) think it's a valid Client Certificate. So, what contraints/key usage/etc are required (but no more, if possible) for a Client Certificate? We're fine with OpenSSL generated certs, but a business partner we're dealing with is taking the opposite approach, and is generating extremely locked down certs that aren't working for us. Anyone else have this happen and know the requirements for a Client Certificate, or at least how to properly submit a request for a cert that will work, through a CA? -Kelly