They way I have dealt with this in the past was to buy a wildcard subdomain cert and only use that subdomain internally. The downside is that you have to delegate that subdomain from your public DNS to your internal DNS or do split horizon/split view. Both have caveats and require some thinking ahead. This is not a free solution, but I would consider it affordable for any small business. It is certainly much less complicated than setting up internal CA's and avoids the opex expenses of managing an internal CA and greatly simplifies managing certificate expiration.
e.g.
*.internal.some.tld
You may even be able to find a CA that will sell you a SAN cert with multiple wildcard subdomains listed. They lose money doing this and most will require you to buy a different wildcard cert for each sub-domain. There are no technical or CAB limits to wildcard subdomain SAN certs, only business policy per CA. If CAB have added any recent restrictions that I am unaware of, it would be for purely monetary reasons as the SAN RFC's have no restrictions on the number of names last I checked.
FWIW I use letsencrypt for this, for free. The only downside is having a central set of HTTPS routers (e.g. nginx) that hold the wildcart certs to terminate TLS. If you spread your hosts across sites it can be annoying.
e.g.
You may even be able to find a CA that will sell you a SAN cert with multiple wildcard subdomains listed. They lose money doing this and most will require you to buy a different wildcard cert for each sub-domain. There are no technical or CAB limits to wildcard subdomain SAN certs, only business policy per CA. If CAB have added any recent restrictions that I am unaware of, it would be for purely monetary reasons as the SAN RFC's have no restrictions on the number of names last I checked.e.g. one wildcard SAN cert with names like