It's amazingly easy. Get OpenSSL, install it...

Make your homebrew CA private key:

openssl genrsa -des3 -out ca.key 1024

Create your CA self-signed public key:

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

OK, you're set up as a homebrew Certificate Authority (CA) and ready to 
start signing your own home-brew certs:

First, create a homebrew private key:

openssl genrsa -des3 -out server.key 1024

Create the unsigned public key (AKA certificate signing request) At one 
point in the process, it asks for "Your Name" - if this is for personal
 identification, then put in your name. However, if this is for a
 development web server, then put in the web site address 
"dev.www.wherever.com" when it asks for "Your Name"

openssl req -new -key server.key -out server.csr

Get the sign.sh script from the Apache mod_ssl distribution, use this
 to sign the certificate:

./sign.sh server.csr

There you go, you now have the private (server.key) and public (server.crt) 
keys. Install them on your webserver.

They will work, but your browser will whine about them being signed by an
 untrusted source. No problem there, give a copy of CA.crt (NOT CA.key!!) to
 any developers using your web server and have them install it on their 
machine, from then on, their browser will consider any certs signed by
 your homebrew CA key to be valid. To install the cert on IE browsers, a
 hint: you do not use your browser to do it, even though there is an
 "Install Cert" button on the window that pops up to let you know that
 the cert is signed by an unknown CA. Instead, you give them CA.crt, have
 them save it to their hard drive, then open up Windows Explorer, right 
click on CA.crt, and pick Install Cert from the menu, a Certificate Wizard 
will pop up, go with the defaults, then your machine will trust the 
homebrew certs.

The root certificate game has always been just a money scam, especially
 for dev certs.