They are used to extend rights to some other entity (a computer process, typically, or sometimes to the user itself) Either free from let's encrypt (certbot) or paid from a ca like digicert. This allows the entity to perform operations on behalf of the owner of the ee (end entity) certificate
The requirements for a valid proxy. 0 you could use a wildcard certificate *.mydomain.com for your proxy The trusted ca certificates in the file named by the proxy_ssl_trusted_certificate directive are used to verify the certificate on the upstream
