Hi,
Another option is to establish the TLS connection outside of Bazel, and then use non-TLS GRPC (probably on localhost) from Bazel. I've never tried them, but ghostunnel or stunnel look like they have a "client mode" which does this. If I was debugging this kind of problem, I'd do that because it requires less fiddling with the Bazel server process.
If you want to go the key file route, that wireshark wiki page lists two projects that work with Java programs. The Bazel server is a Java process, so using those might work. You can add the flags using "--host_jvm_args=-javaagent:<...>" in the Bazel startup options (startup section in bazelrc or between "bazel" and "build" on the command line), although Bazel may not obey assumptions those tools make about the process environment and break them.
Brian