If certificates (keys are exported in CLI or in the GUI, what options do we have to log these actions or prevent these actions ?
Does the F5 maybe have a way to allow all regular admin actions to be performed except exporting certificates (keys) and give this right to a certain special account.
I don't think there's such a role on the BigIP's. As administrator you have full access to everything - there is no way to specifically exclude certain features. See here for the full overview of user roles; https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-systems-user-account-administration/user-roles.html
There is a role that ONLY has access to the certificate management though; Certificate Manager, though I suspect that one on its own won't be of much use for your use case.
Have you got any BigIQ's? (F5 centralized management platform) Its RBAC system is much more granular than the BigIP's and you can configure user and group access even on a per-object basis and may give you the granularity you are looking for.
