You can do that in one command:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days XXX
You can add -nodes if you don’t want to protect your private key with a passphrase.
You may want to up the rsa:2048 to rsa:4096
Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA.