Forum Discussion
Think of it this way. When a server presents its certificate to a browser during an SSL handshake, the client must be able to validate that certificate. Validation involves date and integrity checking, and a trust "chain" establishment. That chain is a path from the server certificate to a self-signed root CA certificate, and is made possible by virtue of an EXPLICIT trust of the CA certificates, and that explicit trust is based on CA certificates that are installed in the client's trust store. If you set client cert auth on the F5 to ignore, and you can get to the web page with or without a certificate warning in the browser, then you're probably okay on the client side.
When the client sends its certificate to a server, as part of a mutually authenticated SSL handshake, the server (F5 VIP) must perform the same validation checks that the client had to do for the server cert. It includes date and integrity checking, and an explicit trust chain establishment by virtue of the CA certificates stored in the Trusted Certificate Authorities cert/bundle. The Trusted Certificate Authorities cert/bundle is only used for client cert auth.
I don't think you specified where you were using the self-signed cert, but if it was on the server side (cert and key inside the client SSL profile) then it shouldn't matter as the issuer of a server cert doesn't have to be (and usually isn't) the same as the client cert. What matters here is that the client SSL profile can validate the certificate presented by the client.