You could also look at TLS SNI which allows the client to give a server name indication in the SSL handshake. This allows the server to select a valid cert. TLS SNI is supported with an iRule in v10 and natively in v11.1:
sol13452: Configuring a virtual server to serve multiple HTTPS sites using TLS Server Name Indication (SNI) feature
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
Joel Moses' pre-11.1 iRule:
https://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx
The downside to this approach is that the clients need to support TLS SNI and not all old clients do:
http://en.wikipedia.org/wiki/Server_Name_IndicationNo_support
If you can't use TLS SNI because of old clients using a wildcard or SAN cert works well.
Aaron
Nimbostratus
