[SalesForce] Export a private key associated with a self-signed certificate

The handshake is done over natural HTTPS connections (SSL/port 443).

Configuring your server/endpoint to be SSL-enabled doesn't require any involvement with ExactTarget, except to ensure your SSL-chain is valid.

We recommend that you perform a standard "production-grade" CSR (Certificate Signing Request) and use a trusted CA to authenticate your SSL. This simplifies the process of certificate validation and verification (self-signed certificates can be problematic).

Does this answer your question?

Per the documentation you linked:

Don’t include the root certificate authority certificate. The root certificate isn’t sent by your server. Salesforce already has its own list of trusted certificates on file, and a certificate in the chain must be signed by one of those root certificate authority certificates.

Self-signed certificates will not work, because there must be a trusted root CA at the end of the certificate chain. However, it doesn't have to be a cert signed directly from a CA. Assuming you already have a CA-issued certificate, you can create a new certificate and sign it with your certificate that you received from the CA (thus creating a chain of trust), and then you can validate against this other certificate. You'll need to include all certificates in the chain, except for the root, as outlined in that documentation. You may create a certificate solely for this mutual authentication method, but it must be signed by a higher authority.