SSL Offload with HTTP/2.0

The following article does give instructions to use the clientssl-secure profile:
https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-http2-full-proxy-configuration/http2-full-proxy-configuring.html

However, this is just used an example. In reality, you would use clientssl-secure as a parent profile of a child clientssl profile (which has the cert / key / chain applied).

Below is a configuration that I have used in the past for configuring HTTP/2 with SSL offload. It disables renegotiation and only allows TLS1.2

Configuring HTTP/2 Client-Side (SSL Offload)

# Create HTTP/2 profile
create ltm profile http2 HTTP2 defaults-from http2

# Create parent client-ssl HTTP/2 compatible profile (renegotiation disabled and TLS1.2 PFS ciphers enabled)
create ltm profile client-ssl CLIENTSSL-HTTP2 defaults-from client-ssl description "HTTP/2 Compatible - SSL Renegotiation Disabled, PFS Enabled" renegotiation disabled ciphers 'ECDHE+AES-GCM:ECDHE+CHACHA20-POLY1305:ECDHE+AES+SHA256:ECDHE+AES+SHA384:ECDHE+AES:RSA+AES-GCM:RSA+AES+SHA256:RSA+AES' options { dont-insert-empty-fragments single-dh-use no-dtls no-ssl no-tlsv1 no-tlsv1.1 no-tlsv1.3 }

# Create child client-ssl profile (inherit from parent client-ssl profile)
create ltm profile client-ssl CLIENTSSL-HTTP2-<FQDN> defaults-from CLIENTSSL-HTTP2 cert-key-chain add { <FQDN>-<YEAR> { cert <FQDN>-<YEAR>.crt key <FQDN>-<YEAR>.key chain <INTERMEDIATE CA BUNDLE>.crt } }

# Create pool
create ltm pool <POOL NAME> load-balancing-mode least-connections-member members add { <IP>:<PORT> } monitor <MONITOR>

# Create HTTP/2 virtual server
create ltm virtual <VS NAME> destination <VIP>:<PORT> profiles add { tcp http HTTP2 CLIENTSSL-HTTP2-<FQDN> } pool <POOL NAME>