I think your (1) makes it sound like more work than it really is
What you'd do is issue a subCA, an intermediate certificate that says whoever has this key is allowed to issue more certificates, then you bake that subCA and the key into a MITM appliance. It mints the leaf certificates, in real time, when a connection happens. At the scale of a medium-sized corporation you can buy this off the shelf from a dozen or more companies, but obviously the off-the-shelf product produces untrustworthy certs.
Usually what a business does is they set Windows Group Policy to say oh, actually we trust these bogus certs. They're supposed to mint a new key for this purpose, but I've seen big companies screw that up and trust the demo keys supplied with the product. This is fine because they're your machines, you set Group Policy. Don't want to trust dubious third rate "MITM appliances" from so-called security companies? Then don't add one in Group Policy.
But if you gave these MITM appliances a "real" publicly trusted subCA they would work, and it would be seamless as far as ordinary Web users are concerned (it's not entirely undetectable, but no ordinary users would notice). It would definitely work for a fair-size company, or a small country. And maybe if you had the hardware and the money you could do it to, say, China, or America.
We know TrustWave issued such a subCA to Walgreens, which caused a big fuss in 2012, and Mozilla told CAs that even though their policies had never specifically forbidden this it was a terrible idea, and they needed to confess and stop doing it. In 2013 the French government was caught doing this too, and their CA root was locked to ccTLDs controlled by France (France owns a bunch of quasi-independent little island nations with TLDs) in Firefox. In 2015 CNNIC did this "by mistake" selling a subCA to a company that, it says, didn't even want a subCA but just somebody screwed up. CNNIC was distrusted.
What you'd do is issue a subCA, an intermediate certificate that says whoever has this key is allowed to issue more certificates, then you bake that subCA and the key into a MITM appliance. It mints the leaf certificates, in real time, when a connection happens. At the scale of a medium-sized corporation you can buy this off the shelf from a dozen or more companies, but obviously the off-the-shelf product produces untrustworthy certs.
Usually what a business does is they set Windows Group Policy to say oh, actually we trust these bogus certs. They're supposed to mint a new key for this purpose, but I've seen big companies screw that up and trust the demo keys supplied with the product. This is fine because they're your machines, you set Group Policy. Don't want to trust dubious third rate "MITM appliances" from so-called security companies? Then don't add one in Group Policy.
But if you gave these MITM appliances a "real" publicly trusted subCA they would work, and it would be seamless as far as ordinary Web users are concerned (it's not entirely undetectable, but no ordinary users would notice). It would definitely work for a fair-size company, or a small country. And maybe if you had the hardware and the money you could do it to, say, China, or America.
We know TrustWave issued such a subCA to Walgreens, which caused a big fuss in 2012, and Mozilla told CAs that even though their policies had never specifically forbidden this it was a terrible idea, and they needed to confess and stop doing it. In 2013 the French government was caught doing this too, and their CA root was locked to ccTLDs controlled by France (France owns a bunch of quasi-independent little island nations with TLDs) in Firefox. In 2015 CNNIC did this "by mistake" selling a subCA to a company that, it says, didn't even want a subCA but just somebody screwed up. CNNIC was distrusted.