AFM FQDN whitelist outbound HTTP (host header) and HTTPS (SNI sub-CA cert) Data Group iRule

Hello! - We would like to be able to create a AFM FQDN whitelist irule with a datagroup entry specifically to match host header with HTTP and to match SNI with HTTPS. Decrypted inspection would utilize company sub-CA cert/key based on existing client-trusted CA.

Does someone have a example data group and iRule to use for this? How can I match on an existing sub-CA cert?

Would something like this work?

ltm data-group internal FQDN_ALLOWED_LIST {
  records {
    .site1.com { }
    .site2.com { }
  }
  type string
}
 
ltm data-group internal CLIENT_CERT_INFO {
  records {
    companycertname { }
  }
  type string
}
 
#Apply to outbound AFM HTTPS VIP
when CLIENTSSL_HANDSHAKE {
    if { [SSL::extensions exists -type 0] } then {
        set tls_sni_extension [SSL::extensions -type 0]
 }
}
when HTTP_REQUEST {
  if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) &&  ([class match $tls_sni_extension contains CLIENT_CERT_INFO]) } {
    log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST"
    return
	} else {
     log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST"
    drop
  }
}
 
#Apply to outbound AFM HTTP VIP
when HTTP_REQUEST {
  if { ([string tolower [HTTP::host]] contains FQDN_WHITELIST) } {
    log local0. "URL is allowed. [HTTP::host] match found in FQDN_WHITELIST"
    return
	} else {
     log local0. "URL is dropped. [HTTP::host] not found in FQDN_WHITELIST"
    drop
  }
}

Thanks!!

TJ