My ambient test:
-Oracle Linux 7.6 (VMware 15);
-Network: NAT;
-Graylog3, MongoDB and Elastic: running together;
- Documentation base for RPM distro.
First of all, read Docs » Configuring Graylog » Using HTTPS
0- mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
1- openssl req -x509 -days 1095 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
2- openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
3- openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
4- openssl req -config openssl-graylog.cnf -out graylog.csr -new -newkey rsa:2048 -nodes -keyout graylog.key
5- openssl req -x509 -sha512 -nodes -days 1095 -newkey rsa:2048 -config openssl-graylog.cnf -keyout graylog.key -out graylog.crt
6- openssl req -config openssl-graylog.cnf -out graylog.csr -key graylog.key -new
7- openssl x509 -x509toreq -in graylog.crt -out graylog.csr -signkey graylog.key
8- openssl pkcs12 -export -in graylog.crt -inkey graylog.key -out keystore.pfx
9- openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
10- openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
11- openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
12- keytool -import -trustcacerts -file graylog.crt -alias server -keystore graylog_keystore.jks -storepass secret [SSL-JAVA]
13- keytool -list -v -keystore graylog_keystore.jks -alias graylog.domain.com
14- keytool -importkeystore -srckeystore graylog_keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
15- openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
16- openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
17- cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks
18- keytool -importcert -keystore graylog.jks -storepass changeit -alias graylog-self-signed -file cert.pem
19- Add “-Djavax.net.ssl.trustStore=/etc/ssl/certs/graylog/graylog-key.jks” em /etc/sysconfig/graylog-server
20- Change to HTTP publish URI in http_publish_uri = https://IP:9000/
**Don’t forget to enable ports to services in firewall and selinux.
Good luck 
Sources:
http://docs.graylog.org/en/3.0/pages/installation/os/centos.html
http://docs.graylog.org/en/3.0/pages/secure/securing.html#default-ports
http://docs.graylog.org/en/3.0/pages/configuration/web_interface.html#configuring-webif-nginx
http://docs.graylog.org/en/3.0/pages/configuration/https.html#ssl-setup
http://docs.graylog.org/en/latest/pages/sidecar.html#
http://docs.graylog.org/en/3.0/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024
https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html
https://mintopsblog.com/2018/03/04/graylog-basic-installation-with-https-ssl-configuration/ [SSL]
https://www.digicert.com/ssl-support/jks-import-export-java.htm [SSL-JAVA]