This was my original script to make Apache2 keys, but it should work for Postscript.
This lives in /etc/postfix, and creates keys and certs directly in that directory.
You must be root to run this with the correct perms.

After making the certs, you need to run:

sudo systemctl restart postfix


Create the file smtpd.key, then make it writable only to root


touch smtpd.key
chmod 600 smtpd.key
#create an rsa private key
openssl genrsa -out smtpd.key 4096
# using that key as source, make a cert
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt # has prompts
# Creates an encrypted private key from the above cert
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 # has prompts

# To remove passphrases:
openssl rsa -in cakey.pem -out cakeyNoPass.pem
# -passin and -passout OR pass:password
# openssl rsa -in smtpd.key -out smtpdNoPass.key

# ==============================================

INSTALL POSTFIX KEYS, CERTs and CA KEY

cp smtpd.key server.key
cp smtpd.crt server.crt
cp cakeyNoPass.pem server.pem