For local services, you can get certificates with CAs that support DNS validation (e.g. LetsEncrypt support that). You'll likely want a DNS provider that has a suitable API so that the e.g. ACME script can post the relevant code to the DNS record, but then you're good to go. A proper public domain name that points at an internal only IP address.
The other benefit of DNS validation is that you don't need to run it on the web server itself (e.g. if it doesn't have internet connectivity), but you can have an ordinary PC/laptop request the certificate and then copy it to where it's needed.
The other benefit of DNS validation is that you don't need to run it on the web server itself (e.g. if it doesn't have internet connectivity), but you can have an ordinary PC/laptop request the certificate and then copy it to where it's needed.