Please refer to here for how to generate internal CA.
$ openssl genrsa -out private/example.key.pem 2048
$ cat > cnf/example.cnf <<EOF
[ req ]
default_bits = 2048
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name = my_distinguished_name
req_extensions = my_extensions
[ my_distinguished_name ]
C = SG
ST = Singapore
L = Singapore
O = APJ
CN = *.pcf.pivotal.io
[ my_extensions ]
basicConstraints=CA:FALSE
subjectAltName=@my_subject_alt_names
subjectKeyIdentifier = hash
[ my_subject_alt_names ]
DNS.1 = *.sys.pcf.pivotal.io
DNS.2 = *.apps.pcf.pivotal.io
DNS.3 = *.login.sys.pcf.pivotal.io
DNS.4 = *.uaa.sys.pcf.pivotal.io
EOF
$ openssl req -new -key private/example.key.pem -out csr/example.csr.pem -config cnf/example.cnf -extensions my_extensions
$ openssl x509 -req -in csr/example.csr.pem -CA certs/ca.crt.pem -CAkey private/ca.key.pem -CAcreateserial -extfile cnf/example.cnf -extensions my_extensions -out certs/example.crt.pem
$ openssl x509 -text -in certs/example.crt.pem