Just to clarify: A self-signed certificate will only be trusted by browsers that manually have trusted this certificate. Everybody else will get warnings.
In Windows you would run the powershell command New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName *.test.com -FriendlyName "star_test_com-2020" -NotAfter (Get-Date).AddYears(2)
to create a self-signed wildcard certificate for test.com with a two year lifetime.
Then you can search your start menu for manage computer certificates
to export the certificate for use on other computers. If you just want to trust the certificate on a client, you'll want a copy that is exported without the private key. If you want to present the certificate from a server, you need a copy that is exported with the private key.
For your own computer to trust the certificate, it needs to exist in the Trusted Root Certification Authorities
in the certificate manager. You can copy it there from the Personal
store by right-dragging it there with your mouse.
For (Windows/Microsoft) services to be able to present the certificate, it usually needs to exist in the LocalMachine\Personal store.
However: If you want to present services publicly, you will want to use a CA-signed certificate. It's definitely cheapest and probably easiest to go via Let's Encrypt, but I have no experience using them for Windows servers. The alternative is to pay for certificates from a commercial CA.