As a network engineer I deal with digital certificates quite often for EAP-TLS authentication,  VPN, and device certificates like on WLC controllers .

Customers that don’t need a public certificate just want a valid certificate loaded on the device to make it work. I used to create certificates with OpenSSL , that is flexible and works great but lacks a GUI.

XCA is a Windows application with a nice GUI and great features to create and manage certificates:

This application is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs. Everything that is needed for a CA is implemented. All CAs can sign sub-CAs recursively. These certificate chains are shown clearly. For an easy company-wide use there are customiseable templates that can be used for certificate or request generation. All crypto data is stored in an endian-agnostic file format portable across operating systems.

<img src="https://www.ifconfig.it/images/xca-300x214.png" alt="">

There’s a Open Source PKI Book  available online, it’s dated but a good reference to understand PKI. If you work with Cisco devices PKI Uncovered from Cisco Press is a good reference too.