Certificates are one thing and keys are a different thing. You can use OpenSSL to create both if you want. Certificates can be bogus as long as you don't enforce checking them although at least one side (the server) should have the certificate checked for validity to make man-in-the-middle attacks more difficult to perform. Notice that even ssh before performing session key exchange using the public key does check the fingerprint on the certificate of the server.