In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:
SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csr
Type in some answers here when prompted, probably for www.example.com as the server and so on.
Okay, but now I need to server to sign that request, so:
openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key
So that works. I now have a self signed server key, but I'd really like our domain servers to accept that key too. I know that AD has the ability to act as a Certificate Authority but I haven't been able to figure out how to get it to sign CSRs so I really just need to tell computers on the domain to accept that key as okay.
Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.