Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?

1st question: you can create your own bundle file by adding both CA's certificates to a single certificate object in the GUI (choose paste text and paste X509 of both CA certs). Applying this ONE bundle file to a single client SSL profile in the VIP will allow client certificates issued by either of the two CAs to validate. When you add multiple client SSL profiles to a VIP it assumes that you're doing SNI, for which you'd have to configure one (or neither) as the default.

 

 

2nd question: I can't speak to the origin of the property name, but an Advertised Certificate Authorities certificate, or rather bundle of certificates (see above) provides a "root hint" mechanism in the SSL negotiation. During the SSL negotiation with client certificate authentication, the server will say "CertificateRequest" to the client, meaning that it wants a certificate. If you apply an Advertised Certificate Authorities bundle then the server will also send a list of issuers that it will accept from the client. In IE in most browsers this equates to a filtered list of client certificates in the certificate prompt.