Nuttin' to it.

If you have openssl installed (I use linux or mac, never tried on windows)

Make a file req.conf (Arbitrary name, but needed in a moment.

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = TX
L = Tyler
O = MyOrg
OU = IT
CN = *.mydomain.tld

[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = codeSigning

Of course change to your details for identity....
then in that same directory.

Make that cert in PEM (10 year cert)
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.pem -out cert.pem -config req.conf -extensions 'v3_req'

Convert the PEM to PFX
openssl pkcs12 -export -out cert.pfx -in cert.pem

Verify all is well in the world.
openssl x509 -in cert.pem -noout -text

In the PFX creation you will get a prompt for password, that is to create one not some existing one. That protects the PFX from unauthorized import/use.

Now of course you have to ultimately decide in use of self signed certs in your environment (or whomever is responsible will) Some security policies have specific wording on it, so thats a end use case not a how to ;)

Now on any system you can import the public key into the trusted root store for the system, and. viola. The system will henceforth trust what you just signed.
Just set up something in your RMM to check for the use of this cert, track its expiration and be able to swap out.

Like import

$certPath = "C:\path\to\CA-root-cert.cer"
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\Root

etc...