In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:

cd /etc/pki/tls/private/
SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csr
Type in some answers here when prompted, probably for www.example.com as the server and so on.
Okay, but now I need to server to sign that request, so:
openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key

So that works. I now have a self signed server key, but I'd really like our domain servers to accept that key too. I know that AD has the ability to act as a Certificate Authority but I haven't been able to figure out how to get it to sign CSRs so I really just need to tell computers on the domain to accept that key as okay.

Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.

1. Click the green icon for the SSL status, it brings up certificate information as an option
2. On the Details tab, click the Copy to File option
3. On the export wizard, hit Next to get to the real options then DER encoded is fine
   
4. Save the file whatever.crt somewhere you can get to it from the AD GPO management tools
   
5. Open the GPO management and create or modify a policy and go to Edit
   
6. Dig down through Computer Config - Policy  - Windows - Security Settings - Public Key Policies
7. Import your key into Trusted Root Certification Authorities

After you get policy updated, people will be able to access your SSL site (within the domain) without any errors.