What we did to get around the issue you see is to add a internal DNS entry for the cert name and told users to use the external name to connect to the Amigopod.
I had this is mind, but the way all is put together it is also a bit complex.
Because the cert that is used is issues to an external company domain name, .companyexternal.com.
And the internal domain is another name, like .companyinternal.com.
So to get all working, we need to add the external domain as a zone in the internal DNS servers. That could make some problems because that external domain is also used for other services. But I'm looking deeper in to this hoping it could be solved this way...
It might be helpful to modify the CSR process to include the ability to add subject alternative names (SAN) to the request. This way, one certificate can work for multiple names and even IP addresses. I have created a feature request for this.
This sounds like a nice solution for my problem!