All of your machines that are members of your domain would benefit from internal ca. You won't have to worry about self-signing, and if you have Windows, it will automatically renew; if you don't have Windows, you may monitor the console or have it notify you when it's time to renew. You can also choose your own expiration timeframe... ten, twenty, and ninety years (not recommended but you get the idea).
As others have stated, I think you need to sit down and write out your functional requirements and Non-Functional Requirements, and then do some research - there are many many vendors, providing tools, managed services.
Look at reviews for popular tools, ask for opinions on ease of use
Other than the fact SSL is now an old term, and should not be confused with TLS:
SSL 1.0 - never publicly released due to security issues
SSL 2.0 - released in 1995. Deprecated in 2011
SSL 3.0 - released in 1096 and subsequently compromised via the Poodle attack.
TLS 1.0 - released in 1999 as an upgrade to SSL 3.0