For anyone having the same problem, I ended up succeeding with this script
#!/usr/bin/env bash
openssl genpkey -algorithm RSA -out localhost.key
openssl req -x509 -key localhost.key -out localhost.crt \
-subj "/CN=localhost/O=localhost" \
-config <(cat /etc/ssl/openssl.cnf - <<END
[ x509_ext ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = DNS:localhost
END
) -extensions x509_ext
sudo trust anchor localhost.crt
Then I used this command to convert it to PFX for Kestrel:
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt
Voilà! Just took me 3 hours and a lot of searching in old forums posts. Hopefully this is will be useful for someone else!