Thank you to the community with a special shout out to @gsmith
In the end I ended up doing the following. It seems the documentation is a general guide to ALL the ways in which you can secure Graylog with SSL/TLS/Cert. In the end, all I wanted to do was use a self cert in the default Java Keystore.
Create a cert from a config file. I did have to use keyUsage = nonRepudiation, digitalSignature, keyEncipherment as suggested by @gsmith to get it to work with Chrome and not disable TLS 1.3 I made mine valid for 3 years
openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
Convert the pkcs5 to pkcs8
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
Create an encrypted version of the pkcs8
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:changeit
Make sure my entry was not already in the keystore
keytool -list -v -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/jre/lib/security/cacerts -alias host.domain -storepass changeit
It was because of previous work, so delete it
keytool -delete -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/jre/lib/security/cacerts -alias host.domain -storepass changeit
Import the cert.pem created above into the keystore
keytool -importcert -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/jre/lib/security/cacerts -storepass changeit -alias host.domain -file cert.pem
Verify the new cert is in the keystore
keytool -list -v -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/jre/lib/security/cacerts -alias host.domain -storepass changeit
Clean up all my other cert stuff that didn’t work
rm /etc/graylog/.
Copy the new certs from where I had been working to where I want my certs
cp /tmp/zach/. /etc/graylog
Give the graylog user ownership of all the certs. Otherwise you get a cannot verify private key error because Graylog cannot access the files
chown graylog:graylog -R /etc/graylog
Edit the graylog server config
/etc/graylog/server/server.conf
http_enable_tls = true
http_tls_cert_file = /etc/graylog/cert.pem
http_tls_key_file = /etc/graylog/pkcs8-encrypted.pem
http_tls_key_password = changeit
Add the path and password to the default Java Keystore. You don’t have to do this if you don’t change the password. I had, but obfuscate in this post
/etc/sysconfig/graylog-server GRAYLOG_SERVER_JAVA_OPTS=
-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.272.b10-3.el8_3.x86_64/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Restart the Graylog server
systemctl restart graylog-server
Watch the logs
tail -f /var/log/graylog-server/server.log
At this point SSL on the website, all APIs, TLS 1.3, and Chrome are working. Now to see I can get an Input to use it 
See you back in the forums, Zach.