the process you described is to add the self signed certificate to trusted certificate store so that browser will not throw the cert error, that is not really much of security.

If you don't have a PKI infrastructure, just use default cert, it will still allow you to do all integrations with DNAC like ISE, adding devices for management etc. Since your browser do not trust Cisco default signed cert you will continue to get the error message.

Cisco recommends assigning cert before DNAC is in production because if a connection is lost between managed device and DNAC for some reason (such as a power outage or reboot), network devices will need to establish trust with the new CA before connections can be established.