Certificates implementation in "SSL forward proxy client and server authentication" scenario.

Hi Alain, I would try the steps in the 11.5.0 manual. There is an error in the 11.3.0 manual that has been corrected. This step isn't necessary and has been removed:

Important: The certificate and key that you specify in this profile must match the certificate/key pair that you expect the back-end server to offer. If the back-end server has two or more certificates to offer, you must create a separate Server SSL forward proxy profile for each certificate, and then assign all of the Server SSL forward proxy profiles to a single virtual server.

This was some confusion here with another SSL Proxy feature. Essentially, you should only need the CA key and certificate to sign the newly created (on the fly) certificates.

Corrected guide:

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-5-0/16.html?sr=35921646

Hope this helps, Kevin