One simple way to understand how this works is to think like this:
1.
The end-user connects to F5 as the server, and F5 has to present an SSL certificate to prove its identity to the end-user. You need to do everything right here to offer top security.
2.
The F5, as a client, connects to the application server, and the application needs to present an SSL certificate to prove its identity to fulfill the requirement of the SSL protocol.
There is a lot of flexibility in 2, depending on your security requirement. If all you need is only encrypted traffic, you can just use a self-signed certificate on the application server. The default serverssl profile on F5 is configured to ignore certificate checking.