I think I see the issue. Since you are using the newer software to generate you own self-signed certificate then
the issue would seem to be you need to add "7 - CRL Signing" which is now required. See the paragraph on
"Self-signed certificates must now have the Certificate Signing attribute set"
http://dcx.sap.com/index.html#sa160/en/sachanges/newsa-sa-16-nagano-sp-enhancements.html