How to configure BIG-IP to accept client certs from multiple CAs to the same VS

I think you can concatenate multiple CA certificates in a bundle and configure the client SSL profile to use the cert bundle as the trusted client CA's option. Here is a snippet from the 9.3 config guide:

 

 

 

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-10-1.html

 

 

Specifying trusted client CAs

 

 

For client-side SSL processing, you can configure an SSL profile to verify certificates presented by a client or a server. Using the Trusted Certificate Authorities setting, you can specify a client trusted CAs file name, which the BIG-IP system then uses to verify client or server certificates. If you do not configure a trusted CAs file, the profile uses a default file.

 

 

The trusted CAs file that you specify for certificate verification contains one or more certificates, in Privacy Enhanced Mail (PEM) format. Built manually, this file contains a list of the client or server certificates that the SSL profile will trust. If you do not specify a trusted CAs file, or the specified trusted CAs file is not accessible to the BIG-IP system, the system uses the default file name.

 

 

 

 

You'll probably want to configure the same cert bundle in the 'Advertised Certificate Authorities' section as well.

 

 

Aaron