At the most basic level, an extension is just a set of HTML files. Usually you’ll have 1 for the configuration page, 1 for the live page, and one for panel/overlay/component/mobile view.
All the rig does is provide a basic way to display and test your extension without it needing to be on an actual live channel, and if you’re working with Bits it also provides a way to make all your product SKUs. Cert generation is used, both on the rig and in the sample extensions, because ALL communication must be over a secure connection. If your extension is just a plain HTML page that doesn’t make any external requests, or want to open sockets, then certs are not as big an issue. Using the hello world extension as an example, the extension communicates with the EBS so that needs to be over HTTPS.
The file structure can be almost whatever you like. When you send the files to Twitch for them to host, they’ll be in a zip with the HTML files in the root of that zip. Those HTML files can point to JS/CSS/images or whatever assets they need either within the same directory, or nested within folders, the structure is whatever you want as long as the paths are correct.
The reason behind how the Hello World example is structured is because it has both a frontend service (this runs a web server that hosts the extension, I believe the rig can also host extension files itself now but I haven’t tried this since I have my own hosting setup), and a backend service (this is the EBS that the extension uses, in this example it shows how clicking the change colour button sends a request to the EBS, and the EBS broadcasts it so it changes colour for all users). When you progress to the Hosted Test stage of development, you’re sending your extension files to Twitch to host so you can ignore having to host the frontend yourself at that stage.
As for EBS, well that’s entirely up to you. Not all extensions need a backend for their use case, if you do need a backend server then it’s for you to host somewhere, and you can use whatever language you desire, as long as it sends messages over HTTPS or a secure websocket, so you’ll need a proper certificate.