First, create your own internal CA.
Internal CA is really just a self-signed cert (keypair). Make sure to use proper extensions when creating it. At the very least, specify "Subject is a CA" in "Basic Constraints".
Do not set CN in the subject so this keypair can never be used as a cert for actual domains.
The validity period should be long, remember that you will need to reissue all the certs once the CA's cert expires
You can now start generating end-entity certs.
You can use excellent Keystore Explorer tool for that.
Simply right-click on your CA keypair, select "Sign new key pair".
Then enter all the parameters of the new cert. Use our best practices when creating new certs.
Save the keystore.
Unfortunately, this means that all your generated keypairs will reside in the same keystore. Do not distribute this keystore with applications. Instead, create an application-specific keystore using "export". This application-specific keystore should contain only the keypair (and our internal CA) specific to the application's domain.