# openssl genrsa -out mysite.key 2048
# openssl req -new -key mysite.key -out mysite.csr
# openssl x509 -req -days 3650 -in mysite.csr -signkey mysite.key -out mysite.crt

Then, in your virtual host definition:

ssl on;
ssl_certificate     /etc/nginx/tlskeys/mysite.crt;
ssl_certificate_key /etc/nginx/tlskeys/mysite.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers         TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:HIGH:!aNULL:!MD5;