EDIT: Since writing this answer there is a new tool mkcert that does this for you. See https://mcmap.net/q/180695/-npm-http-server-with-ssl instead. My original answer below for historical interest.
Firefox didn't accept self-signed certs, so a bit more effort was required. First create a CA:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout ca-key.pem -x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
Add ca.pem (A localhost CA) to trusted certs of your OS and/or Firefox (other browsers use system CAs). Keep the ca* files in a secure location for future use, so you never have to do this again.
Then, for any site that you are running, and whenever you wish to change settings, create cert.pem and key.pem with:
openssl req -batch -new -newkey ec:(openssl ecparam -name prime256v1|psub) -nodes -keyout key.pem -subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem -CAcreateserial -out cert.pem -days 365 -extfile (echo subjectAltName=DNS:localhost|psub)
The above should work on most systems. If not, you might want to create temporary files ecparam.tmp and ext.tmp. Commands functionally equivalent to the two oneliners:
# Output Elliptic Curve parameters to a temporary file
openssl ecparam -name prime256v1 -out ecparam.tmp
# Create CA
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout ca-key.pem \
-x509 -out ca.pem -days 3650 -subj "/CN=A localhost CA"
# Create a CSR for localhost, then sign it by CA
echo subjectAltName=DNS:localhost > ext.tmp
openssl req -batch -new -newkey ec:ecparam.tmp -nodes -keyout key.pem \
-subj /CN=localhost | openssl x509 -req -CAkey ca-key.pem -CA ca.pem \
-CAcreateserial -out cert.pem -days 365 -extfile ext.tmp