为将来可能遇到此问题的人发布答案.我发现关键是与.key文件一起生成.crt，而不是使用openssl生成.csr文件.

Posting an answer for those who may encounter this issue in the future. I found the key was to generate a .crt along with the .key file, not a .csr file using openssl.

openssl req \
       -newkey rsa:2048 -nodes -keyout domain.key \
       -x509 -days 365 -out domain.crt

https: //www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs

请注意，这并不意味着证书将被签名……对于您的用例而言可能不重要.

Note that this does not mean the certificate will be signed...may or may not be important for your use case.