Forum Discussion
https://support.f5.com/csp/article/K13452
Well, yes. The easiest way to support different client side certificates is to use SNI switching. You create multiple client SSL profiles, each with a different Server Name attribute (that should match the defined certificate CN or SAN), and then include all of the client SSL profiles in a single VIP. Based on the SNI value in the client's ClientHello TLS handshake message, the BIG-IP will switch between the client SSL profiles.
Swapping the server side SSL profile is also pretty straight forward. You'd just add the
SSL::profile [profile_name]
command to an iRule event. Ref: https://devcentral.f5.com/wiki/iRules.SSL__profile.ashx, and you can even do this in a CPM policy.
But keep in mind for client-side SNI switching, the client SSL profiles all have to be identical, except for the Server Name attribute and cert/key. If you actually need different types of client SSL profiles (like with different ciphers, or client authentication), the you'd have to parse the binary SNI value from the TCP payload. There's plenty of examples of that here, so not terribly difficult.