In theory, it is possible to use selfsigned in .env, but I have not been able to get it to work; somehow, the certificate is always generated for localhost, even if I changed the settings in odk-setup.sh ( openssl req -x509 -newkey rsa:4086...)
Using customssl and creating a root certificate with easyrsa is anyway more flexible, but I would be interested to know how to get selfsigned to work.