The exact solution depends on your environment, but generally you have two options.
If the domain is internal, too (like example.local, or anything not resolvable for the outside world), you will have to roll your own Certificate Authority. The InterWebz is full of articles on this, but your main problem will be to roll out your signing certificate. In a Windows environment, it is as easy as setting it up in Active Directory. In a Linux only environment, you might want to roll out a package that installs the signing cert as a valid one. For Macs… well i honestly have no idea how it works there.
If your domain and all your hostnames are resolvable for the outside world you can still go with option one, but you can get free certificates from LetsEncrypt. Or, if you don’t trust them, you can buy actual certificates from a lot of parties from VeriSign to COMODO. It can be pricey, but they are the most trustworthy as of now. This solution takes off the burden of running your own CA, but it might create other problems.
As usual, the choice is yours, as we can’t possibly know all your circumstances, your budget, and all the small details of your requirements.