Actually, this is addresse in the spec for HSTS, RFC 6797 (emphasis mine):
11.3. Using HSTS in Conjunction with Self-Signed Public-Key Certificates
If all four of the following conditions are true...
o a web site/organization/enterprise is generating its own secure
transport public-key certificates for web sites, and
[...]
...then secure connections to that site will fail, per the HSTS
design. This is to protect against various active attacks, as
discussed above.
[...]
However, if said organization wishes to employ its own CA, and
self-signed certificates, in concert with HSTS, it can do so by
deploying its root CA certificate to its users' browsers or operating system CA root certificate stores. It can also, in
addition or instead, distribute to its users' browsers the
end-entity certificate(s) for specific hosts.
So you need to do one of these:
- sign your self-generated certificate with a CA certificate (which you also generated), and install the CA cert into the browser (or the OS store, if the browser uses that)
- install the self-signed certificate into the browser or OS store
How to install the certificate depends ont the browser; there are multiple answers here on how to do this.
Actually, this is what you should be doing even without HSTS, as it prevents the usual certificate warnings. However, with HSTS it's actually the only way.
includeSubdomainsincludeSubdomains(and waiting for the previous HSTS entry to expire if you're not the only user).