Lighttpd

I follow docs/articles/videos. Last one is this one https://www.youtube.com/watch?v=SlcrTSvMioU

What I want to do:
I have a server running (1st host RPI - 192.168.1.218) that I want my (2nd host PC) and (3rd host Android) access only using certificates. To accomplish this, I think I have to distribute root CA on these extra devices

So here is what I am doing

#CA
openssl genrsa -aes256 -out ca.key 2048                                    # generates Root CA RSA private key
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3065 -out ca.crt   # generates Root CA certificate with passphrase

#Server
openssl genrsa -out server.key 2048                                                                                                             # generate server RSA key, no passphrase
openssl req -new -key server.key -out server.csr                                                                                                # generate server CSR file (for signing?)
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile server.cfg                # generate server certificate

my server.cfg config

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = 192.168.1.218
DNS.2 = <external IP>

Once we have CA root sorted and server certificate sorted, I decided to do 2 things.
1. Copy CA.crt to my (2nd host - PC) and install it in Arch following docs: https://wiki.archlinux.org/title/User:Grawity/Adding_a_trusted_CA_certificate#System-wide_%E2%80%93_Arch,_Fedora_(p11-kit)
2. I setup my lighttpd (1st Host RPI) as follows:

server.modules += ("mod_openssl")
$SERVER["socket"] == ":443" {
    ssl.engine  = "enable" 
    ssl.pemfile = "/etc/lighttpd/ssl/server/server.crt" 
    ssl.privkey = "/etc/lighttpd/ssl/server/server.key" 
    proxy.server = ( "" => ( ( "host" =>  "127.0.0.1", "port" => 8008 ) ) )
}

3. I try to run simple curl command but get certificate error:

curl https://192.168.1.218                       
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I even add cert directly to curl curl https://192.168.1.218 -cacert ca.crt , but its the same. Only by using the ' -k ' flag (insecure) we are able to connect and fetch response which is not what we want because we wanted to use certificates in the first place.

I know we could generate clients certificates on its own, in addition to CA root and server certificate as follows, but I am unsure what this accomplish, and where we would have to put them

#Client
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256 -extfile client.cfg

Could someone please assist with this? I have spent days trying to figure out where I went wrong