[Request] Tutorial/Help with self-signed-TLS-certs with rclone<->rclone

Hello there,

i would humbly like to request a Tutorial/Guide for using self-signed-TLS-certs with "rclone serve [s3/webdav/http]" together with rclone as the client on the other side without using insecure "no-check-certificate".
It is quite confusing what to put on both sides into --cert and --key and --client-ca so that the connection is properly encrypted.
How to create those keys and files (f.e. under Debian/Ubuntu) and what to copy where on client and server?
I can deal with normal key-based-auth in SSH but this is way more complicated and i cannot find information regarding this and rclone and i really don't want to make errors and expose private data by mistake.

Such a Tutorial would be generally a good addition to "Howto Guides" i think.
Thank you very much in advance