I had a Let’s Encrypt for an internal domain for a while. It was a wildcard subdomain of one of my external domains. *.x.y.com I created it by setting up a temp webserver and creating it from there. I ran into internal issues because I also had hairpinning for some services and not others.

Alternatively, you could do your own CA with something like EasyCA. You’d have to add the CA cert to all devices, but once you do, you have full control to create any certs you want.