I stand corrected, if we use "request" we are directed to the application but if "required", it says "page cannot be displayed"
And that makes sense. The client is passing a certificate to the BIG-IP that the BIG-IP MUST be able to validate (given the require option). For the BIG-IP to be able to validate the client's certificate, you must obtain and specify a "CA bundle". If you're familiar with browser's trusted certificate store, this is a bucket of certificate authority public certs that the browser EXPLICITLY trusts - by virtue of their existence in the store. When a server sends its cert to the client, the client browser must validate trust by way of creating a chain from the server's certificate to the issuing CA of that certificate (and potentially the issuing CA of that certificate if multi-level) and terminating at a trusted root certificate. Your self-signed certificate only differs in that it is its own self-signed root, so the browser would NEVER trust this certificate unless it was specifically installed in the browser's trust store. For client certificate authentication, this process is reversed, and the BIG-IP performs the same validity and trust checks that the browser did for the server's cert. The BIG-IP, however, doesn't have a single CA trust store, so each client SSL profile must be given one. If you look in the client SSL profile, you'll see an option for "Trusted Certificate Authorities". This option allows you to select a single certificate (or bundle of certificates) that the BIG-IP can use to establish trust with the client's certificate. If, for example, the client certificate is issued by Verisign, you need Verisign's public CA certificate applied to the Trusted Certificate Authorities option. If you expect to accept clients with certificates issued from multiple CAs, then you can create a bundle file - a text file that contains the PEM/Base64-encoded value of each CA's certificate. Example:
-----BEGIN CERTIFICATE-----
MIIEgTCCA+qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzER
MA8GA1UEChMIdGVzdC5jb20xHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0
eTEUMBIGA1UEAxMLY2EudGVzdC5jb20wHhcNMTMwNTAxMDQyMzQ1WhcNMTYwMjE5
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
JIIEgTGGB+qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJVUzER
FA9GB1UEChMIdGVzdC5jb20xHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0
eTEU8BIGA1UEAxMLY2EudGVzdC5jb20wHhcNMTMwNTAxMDQyMzQ1WhcNMTYwMjE5
...
-----END CERTIFICATE-----
Put those into a text file and import them like you would a single certificate.