Cert chain should exist in both server and client PC?

Check out these links, they may help clarify.

https://support.f5.com/kb/en-us/solutions/public/0000/700/sol788.html

https://docs.nexcess.net/article/what-is-a-chain-of-ssl-certificates.html

Depends on how you setup your VIP. :)

If you are "offloading" 443 -> 80(to server), the VIP will have a certificate configured; the F5 does the heavy-lifting.--encryption and decryption If you setup "pass-through" 443 -> 443 The F5 does not decrypt the traffic, the back-end servers will do the encryption and re-encryption.

--- I think you are referring to the CA Bundle for IIS or Apache / Tomcat?¿ -Pass-through: The Intermediate and Root cert will have to be in the cert store for the certificate trust. -Offloading: The F5 will have to have a CA Bundle configured with Root and Intermediate certificates and not server or client cert. The client receives the server(s) "public" certificate, when accessing HTTPS. The Client certificate may/can be used to authenticate one into the server. i.e. APM authentication

Note: The private certificate is NEVER handed out. Analogy: It is the "key" to your house, you don't want strangers having your key or they can rob you. :)

Local Traffic ›› Profiles : SSL : Client >>> Refer to: https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html

The BIG-IP Client SSL profile enables the BIG-IP system to accept and terminate client requests that are sent using a fully SSL-encapsulated protocol and provides a number of configurable settings for managing client-side Secure Socket Layer SSL connections.

Local Traffic ›› Profiles : SSL : Server >>> Refer to: https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html `The BIG-IP Server SSL profile enables the BIG-IP system to initiate secure connections to your SSL servers by using a fully SSL-encapsulated protocol and providing configurable settings for managing server-side SSL connections.