How to establish secure connection between NGINX <-> https upstream API

[satscreate]

Using below config, According to this,

https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#

server {
       listen      80;
       server_name nginx_server_name;
       #...

upstream dev {
   zone dev 64k;
   server backend.example.com:443;
}

       location /upstream {
           proxy_pass https://$upstream$request_uri;
           proxy_ssl_certificate         /etc/nginx/client.pem;
           proxy_ssl_certificate_key     /etc/nginx/client.key;
           proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
           proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
           proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

           proxy_ssl_verify        on;
           proxy_ssl_verify_depth  2;
           proxy_ssl_session_reuse on;
       }
   }
What is below client.pem & client.key?

is this the nginx client files which needs to be created and signed with CA?
or is that a backend.example.com ssl certs?

What is trusted_ca_cert.crt;?

Is this related to backend.example.com? how can i obtain this?

Steps i did:

Created csr & key using openssl with CN as nginx_server_name
signed & Got the cert (client.crt) -> client.pem configured both client.pem
& .key in config
But getting below exception when i hit the API.

upstream SSL certificate verify error: (19:self signed certificate in
certificate chain) while SSL handshaking to upstream, client: <user_ip>,
server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream:
"https://backend.example.com:443/getsomething", host: "nginx_server_ip"



--
Sent from: http://nginx.2469901.n2.nabble.com/