You can create a self-signed certificate using the req command provided with OpenSSL, like this:

openssl req -x509 -newkey rsa:1024 -keyout file1 -out file2 -days 9999 -nodes

file1 and file2 can be the same file; the key and the certificate are delimited and so can be identified independently. The -days option specifies a period for which the certificate is valid. The -nodes option is important: if you do not set it, the key is encrypted with a passphrase that you are prompted for, and any use that is made of the key causes more prompting for the passphrase. This is not helpful if you are going to use this certificate and key in an MTA, where prompting is not possible.

A self-signed certificate made in this way is sufficient for testing, and may be adequate for all your requirements if you are mainly interested in encrypting transfers, and not in secure identification.

However, many clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate. In this situation, the self-signed certificate described above must be installed on the client host as a trusted root certification authority (CA), and the certificate used by Exim must be a user certificate signed with that self-signed certificate.

For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/.

openssl req -new -out file1.pem -keyout file2.pem
openssl rsa -in file2.pem -out www.key
openssl req -x509 -in file1.pem -out www.crt -key www.key -days 3650

openssl req -new -x509 -days 3650 \
  -newkey rsa:2048 -nodes -keyout test.key \
  -out test.crt \
  -subj '/C=PL/ST=example/O=ShareWiz/OU=test/CN=test'