SSL forward proxy issue!!

You might want to read

K14783: Overview of the Client SSL profile (11.x - 13.x)

3: Any chance to know how F5 create new cert between client and F5(client side)? Is the key changed too?

• The client sends an SSL CLIENTHELLO that reaches the virtual server and the client-SSL profile.
• The LTM then sends a new CLIENTHELLO to the server, which responds with a SERVERHELLO containing a server certificate identifying the server.
• The LTM extracts the Subject and SAN from the server certificate, and builds a new temporary certificate signed by the CA key and CA Authority certificate. The key changes to the CA key.
• The client-ssl profile sends a SERVERHELLO to the client containing the new generated certificate.
• The client must trust the CA Authority configured in the SSL Forward Proxy.

2：To monitor outbound ssl traffic, if by any chance, we want to monitor more sites, such as 1.xyz.com, 2.abc.com. Do we need to generate a new cert/key in ssl client profile since need more CN?

No. The CA Authority you create for the SSL Forward Proxy can sign any CN.

You may wish to look at the deployment guide for the SSL Intercept iApp solution

I'd recommend discussing this with your F5 Account team or F5 Professional Services.

No. The CA Authority you create for the SSL Forward Proxy can sign any CN.

i would indeed say so, but not sure if there isn't some general rule a CN needs to be something and can't be empty.