The certificate is not trusted, because the issuer has it self signed.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
This problem occurs only with self signed certs.
In NS there is no authrity which could be installed as trusted, so you have no chance to get this cert accepted by newer browsers, because there is no possibility to give an execption.
Chromium based brwoser changed from SSL with CN (common name) to SSL with SAN (Subject Alternative Name).
openssl genrsa -des3 -out rootCA-auth.key 2048
openssl req -x509 -new -nodes -key rootCA-auth.key -sha256 -days 3650 -out rootCA-auth.crt
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
openssl x509 -req -in server.csr -CA rootCA-auth.crt -CAkey rootCA-auth.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
with v3.ext file:
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
DNS.1 = server.domain.tld
IP.1 = XXX.XXX.XXX.XXX
The rootCA-auth.crt is a rootCA which can be used as authority when installed in the machines trusted authority datadase. Once installed every server which uses a cert signed by this authority is accepted, in this case it’s server.crt.
So you have created you own local authority.