In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:

cd /etc/pki/tls/private/
SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csr
Type in some answers here when prompted, probably for www.example.com as the server and so on.
Okay, but now I need to server to sign that request, so:
openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key

So that works.

Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.

1. Click the green icon for the SSL status, it brings up certificate information as an option
2. On the Details tab, click the Copy to File option
3. On the export wizard, hit Next to get to the real options then DER encoded is fine
   
4. Save the file whatever.crt somewhere you can get to it from the AD GPO management tools
   
5. Open the GPO management and create or modify a policy and go to Edit
   
6. Dig down through Computer Config - Policy  - Windows - Security Settings - Public Key Policies
7. Import your key into Trusted Root Certification Authorities

After you get policy updated, people will be able to access your SSL site (within the domain) without any errors.

Active Directory

C:\>certreq -submit -attrib "CertificateTemplate:WebServer" request.csr

See: https://www.md3v.com/import-an-openssl-csr-into-windows-ca-server

Also see: http://blog.netnerds.net/2009/10/securing-apache-using-mod_ssl-openssl-and-microsoft-certificate-authority-ca/