Exim provides a script for this. Either run:

/usr/share/doc/exim4-base/examples/exim-gencert

or create a certificate manually. Within the /etc/exim4 directory run:

openssl req -x509 -sha256 -days 9000 -nodes -newkey rsa:4096 -keyout exim.key -out exim.crt

Shows

Generating a 4096 bit RSA private key
............................................++
.............................................................................................................................++
writing new private key to 'exim.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Jersey
Locality Name (eg, city) []:St. Helier 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShareWiz
Organizational Unit Name (eg, section) []:Tech
Common Name (e.g. server FQDN or YOUR name) []:mail.sharewiz.net
Email Address []:admin@sharewiz.net

Uncomment the following lines.

/etc/exim4/exim4.conf.template

# plain_server:
#   driver = plaintext
#   public_name = PLAIN
#   server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CON$
#   server_set_id = $2
#   server_prompts = :
#   .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
#   server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
#   .endif

Create (or edit if it exists) /etc/exim4/exim4.conf.localmacros

Add the line:

/etc/exim4/exim4.conf.localmacros

MAIN_TLS_ENABLE = true

Create /etc/exim4/passwd

Copy output from:

htpasswd -nd usernameforsmtp

And paste it in /etc/exim4/passwd

Repeat for any other logins you'd like to add.

update-exim4.conf
/etc/init.d/exim4 restart