Self Signed Certificates

In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:

cd /etc/pki/tls/private/

SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csr

Type in some answers here when prompted, probably for www.example.com as the server and so on.

Okay, but now I need to server to sign that request, so:

openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key

So that works.

Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.

After you get policy updated, people will be able to access your SSL site (within the domain) without any errors.

Active Directory

C:\>certreq -submit -attrib "CertificateTemplate:WebServer" request.csr

See: https://www.md3v.com/import-an-openssl-csr-into-windows-ca-server

Also see: http://blog.netnerds.net/2009/10/securing-apache-using-mod_ssl-openssl-and-microsoft-certificate-authority-ca/