Self Signed Certificates
In Linux you can create a self signed certificate pretty easily, you can even create a request for multiple sites supported by one certificate, it looks something like this:
SAN="DNS:*.example.com, DNS:other.example.com.com" openssl req -new -key ca.key -out all.example.com.csr
Type in some answers here when prompted, probably for www.example.com as the server and so on.
Okay, but now I need to server to sign that request, so:
openssl x509 -req -days $((365 * 3)) -in all.example.com.csr -signkey ca.key
So that works.
Internet Explorer won't let me export the key because of course it doesn't match (and I'm working with a limited permission user as recommended) but Chrome does.
Click the green icon for the SSL status, it brings up certificate information as an option
On the Details tab, click the Copy to File option
On the export wizard, hit Next to get to the real options then DER encoded is fine
Save the file whatever.crt somewhere you can get to it from the AD GPO management tools
Open the GPO management and create or modify a policy and go to Edit
Dig down through Computer Config - Policy - Windows - Security Settings - Public Key Policies
Import your key into Trusted Root Certification Authorities
After you get policy updated, people will be able to access your SSL site (within the domain) without any errors.
C:\>certreq -submit -attrib "CertificateTemplate:WebServer" request.csr