I don't think there's such a role on the BigIP's. As administrator you have full access to everything - there is no way to specifically exclude certain features. See here for the full overview of user roles; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-systems-user-account-administration/user-roles.html
There is a role that ONLY has access to the certificate management though; Certificate Manager, though I suspect that one on its own won't be of much use for your use case.
Have you got any BigIQ's? (F5 centralized management platform) Its RBAC system is much more granular than the BigIP's and you can configure user and group access even on a per-object basis and may give you the granularity you are looking for.