As per July 2012 SSL certificates for local server names will not longer be issued, accoring to the CA/B Baseline Requirements. This has been decided by the CA/Browser Forum (CA/B) in November 2011.
The official solution is also changing your internal server name to a public domain name and requesting a "regular" SSL certificate for that public name.
You may find further information about the baseline requirements on the official website of the CA/B forum: https://cabforum.org/baseline-requirements/
You may find detailed instructions including "split-brain DNS" here: https://www.codetwo.com/admins-blog/san-certificates-and-split-brain-dns-in-exchange-2013/