SSL Certificate Issue

Can I also assume that you renewed the public certificate from the original private key? If so, given that 1) you only replaced the certificate in the client SSL profile, 2) and a generic unverified certificate does work (though the browser likely gets a certificate mismatch error), then I'd start looking at the certificate itself.

1. From the BIG-IP command line (SSH) view the certificate properties:

   openssl x509 -in [path to certificate] -noout -text
   
   Example:
   
   openssl x509 -in /config/filestore/files_d/Common_d/certificate_d/\:Common\:iis1.domain.com.crt_180580_1 -noout -text
   

2. If that looks good, then review what you're seeing in the browser. Do you get a security warning in the browser? If so, what does it say?

3. If you don't ever get past the SSL handshake, the next thing I'd look at is the SSL handshake itself. From the BIG-IP command line (ssh) run an SSLDUMP capture:

   ssldump -k [path to private key] -AdNn -i 0.0 port 443 [and any other filters]
   

   where [path to private key] is the physical path to the private key assigned to the client SSL profile that is assigned to the VIP. You need this to be able to decrypt the SSL in the capture. The [and any other filter] part is any other filters that you may need to limit what you see in the capture. SSLDUMP absolutely needs at least one filter, so I added the "port 443", but then you might also want to limit traffic to a particular VIP "and host 10.10.10.1", or perhaps a specific client "and src 10.70.0.1". Ultimately you'll be able to see the full SSL handshake and any SSL-related issues will be visible in this capture.