For securing internal services, acting as your own CA can be very convenient. Buying a wildcard SSL cert might be too expensive, or your internal services span multiple domains, etc. A lot of people will simply use self signed certs, which are definitely better than nothing, but leave you open to MITM attacks and require clicking through warning screens frequently.
By acting as your own CA internal services can be tightly secured by requiring client certificates from your employees to connect, and HTTP based services can be served securly without telling your employees to accept self signed certs.
Doing this is pretty simple with OpenSSL. First, generate a key and certificate pair for your new internal certificate authority.
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 365 -out ca.crt
Then generate an ssl certificate that is signed by the certificate authority.
# New key
openssl genrsa -out example.com.key 2048
# New certificate signing request
openssl req -new -key example.com.key -out example.com.csr -subj "/C=US/ST=CO/L=Boulder/CN=example.com"
# Sign a certificate from the request
openssl x509 -sha256 -req -in example.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out example.com.crt -days 365
# Toss the request, no longer needed
rm example.com.csr
These keys can be revoked as needed now, used by employees as client certs, or used to secure internal use only domains. Employees will need to add the new CA certificate to their root certificates on their machines.