all ok.. it took me ages to work through things. I still have a few gaps.. 
In this specific example.. which I will write up about soon.."golang.http.server" is an identity that I enrolled on a server.
When you create an identity.. Open Ziti generates a jtw token that you use for enrolling the identity.
In this case.. as the identity is used to represent the http service... I moved it onto the server.. and used the ziti edge enroll to enroll the identity..
this creates the json file in the same directory that you run it from
When you inspect the contents of the json file.. you will noticed that it has the chain of certificates required for mutual TLS... ie.. after the server has confirmed that it is how it is from the certificate issued by the certificate authority.. the client then confirms it is the real client .. using this chain of certificates in the json file
As I am more of an app developer than security admin technician.. I have found this quite a bit to chew on for a while... but as you work through it all... it does all start to work together nicely..
I think in this specific example, I would encourage you to start really small.
Here is a download of my journey before I tackled a reverse proxy... which I am still working through because those certificates need to be setup correctly.. (which has taken me days to work through)