Config your self trusted SSL certificate for localhost (or custom domain) on Ubuntu and Nginx

# INSTALL OPENSSL

cd /usr/local/src/
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz 
tar -xf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
sudo ./config -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
sudo make
sudo make install

# CREATE CONF FOR OPENSSL

cd
mkdir local_ssl
cd local_ssl
touch localhost_ssl.conf
vim  localhost_ssl.conf

# ADD CONTENT TO CONF FILE (you need to substitute comments by your infos)

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = <--COUNTRY CODE - 2 Characters-->
ST = <--PROVINCE/ STATE-->
L = <--CITY-->
O = <--ORGANISATION-->
OU = <--DEPARTMENT-->
CN = <--CERTIFICATE ISSUER NAME - Can be anything-->
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = localhost

# GENERATE CERTIFICATE

openssl req -x509 -nodes -days 1024 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost_ssl.conf -extensions 'v3_req'

# CONFIGURING NGINX

sudo cp localhost.crt /etc/ssl/certs/localhost.crt
sudo cp localhost.key /etc/ssl/private/localhost.key

sudo vim /etc/nginx/sites-available/default

# CONTENT

server {
    # Ports to listen on, uncomment one.
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Server name to listen for
    server_name localhost;

    # Path to document root
    root /var/www/html;

    #SSL 
    ssl_certificate /etc/ssl/certs/localhost.crt;
    ssl_certificate_key /etc/ssl/private/localhost.key;
    
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # File to be used as index
    index index.html;

    # Logs
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;    
}

# ADDING CERTIFICATE TO THE BROWSER

cd / 
sudo apt-get update
sudo apt-get install libnss3-tools

cd /etc/ssl/certs/
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt

# TEST AND RELOAD

sudo nginx -t
sudo service nginx reload

# HELP ======================== CERTUTILS COMMANDS

List all certificates
certutil -d sql:$HOME/.pki/nssdb -L

List details of a certificate
certutil -d sql:$HOME/.pki/nssdb -L -n <certificate nickname>

Add a certificate
certutil -d sql:$HOME/.pki/nssdb -A -t <TRUSTARGS> -n <certificate nickname> -i <certificate filename>

The TRUSTARGS are three strings of zero or more alphabetic characters, separated by commas. They define how the certificate should be trusted for SSL, email, and object signing, and are explained in the certutil docs or Meena's blog post on trust flags.

For example, to trust a root CA certificate for issuing SSL server certificates, use
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n <certificate nickname> -i <certificate filename>

To import an intermediate CA certificate, use
certutil -d sql:$HOME/.pki/nssdb -A -t ",," -n <certificate nickname> -i <certificate filename>

Note: to trust a self-signed server certificate, we should use
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n <certificate nickname> -i <certificate filename>

This should work now, because NSS bug 531160 is claimed to be fixed in a related bug report. If it doesn't work, then to work around the NSS bug, you have to trust it as a CA using the “C,,” trust flags.

Add a personal certificate and private key for SSL client authentication
Use the command:

pk12util -d sql:$HOME/.pki/nssdb -i PKCS12_file.p12

to import a personal certificate and private key stored in a PKCS #12 file. The TRUSTARGS of the personal certificate will be set to “u,u,u”.

Delete a certificate
certutil -d sql:$HOME/.pki/nssdb -D -n <certificate nickname>