I am attempting to set up a monitor with client certificate authentication and I can configure the monitor with the key/cert appropriately, but there does not seem to be a method for sending the full trust chain with the request like I can with a server profile.
Can I set up a monitor that sends the trust chain with the client certificate during SSL? If so, how can I do this? If you have a link to documentation, that would be great too.
You may be able to create your client auth certificate with the appropriate intermediate/root certificates appended. You will need to test this - I'm not sure if it will work.
Alternatively, on version 13.1.0.x, you could enable In-TMM Monitoring
This new feature allows TMM-based HTTPS monitors to use an existing server-SSL profile to establish SSL/TLS to a pool member.
However - this comes with a caveat...
Once you enable In-TMM monitors via the db variable, you will need to update all existing HTTPS monitors to use a suitable server-side ssl profile. There is no current migration process from bigd (OpenSSL-based) settings to TMM (F5 crypto) monitor settings, and unmodified HTTPS monitors will fail in the config due to an incompatible cipher string.
In addition to the reply of @Simon_Blakely I want to add, that with In-TMM monitoring the healthchecks will definitely be send through TMM interfaces only.
Before it was possible, that a healthcheck went out through the MGMT interface in case there was a better route to the node.
With In-TMM monitoring you now have the ability to use SNI (server name indication). Previous TMOS versions required using external monitors to get this done.
