Self-signed certificates are almost completely useless now days. None of the major browsers will allow self-signed certificates without explicit permission request, and major warnings (see Firefox for that).
You have some options. You can make a self-signed CA, while that sounds like the same thing it is NOT. Watch this video: https://youtu.be/DTlx3Lhdq40 that explains all this. Basically it means that you need to deploy the self-signed CA on all the computers that will be using this.
Clearly this isn’t a public/production solution, so in that case there are some options:
Let’s say your WebRTC solution is a public service, then you will want say Apache to host a reverse proxy on a secure port, and reverse proxy the traffic to your web socket connection of Asterisk. Doing this makes the apache service the front line, and also allows you to use Lets Encrypt with the certbot service to obtain and maintain an SSL for you. (Assuming you have a public IP or domain under your control)
Let’s say you are using AWS or something like that, then just spin up an Application Load Balancer. Doing this exposes a live SSL port with Amazon Signed certificate as your perimeter, that forwards web socket connections to Asterisk. The nice thing about this solution is that as the name says, it’s also a load balancer, so scaling out is no problem.
(I don’t have a video for these solutions, but get a lot of requests about this, so will probably do something)