Using root certs for validation instead of using VIP certs for validation

Document ID : KB000111981
Last Modified Date : 23/08/2018
Show Technical Document Details
To verify our backend we are currently uploading the public certificate from F5 VIPs by searching for it in manage certificate. We were recently told that it is a concern and should be using certificate authority (CA) root cert to validate all backend F5 VIPs instead. Can we validate the VIPs only using only the certificate authority (CA) root cert?
APIM is SSL Client you only need root CA and all it’s intermediate CA in the chain
Additional Information:
Verified this with other support engineers also ran the following test

ONLY root CA Certificate installed CA Gateway in Trusted Certificates – with Certificate is a Trusted Anchor checked
Created Web Service with
Route via HTTP(s) to
Accessed SSL and NON SSL through GW – Successful no SSL errors, verified proper key exchanged via packet capture as well
Managed Certificates:  Installed rootCA trusted Anchor

Snippet RootCA to WebServer>

Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Certificate
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 2995
        Handshake Protocol: Certificate
            Handshake Type: Certificate (11)
            Length: 2991
            Certificates Length: 2988
            Certificates (2988 bytes)
                Certificate Length: 1441
                Certificate: 3082059d30820385020101300d06092a864886f70d01010b... (,,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Maynard,id-at-stat
                Certificate Length: 1541
                Certificate: 30820601308203e9a003020102020900d46b66b785a9ca64... (,,id-at-organizationalUnitName=Support,id-at-organizationName=CA,id-at-localityName=Framingham,id-at