For instance how can I use my *.domain.com SSL certs and NPM to route containers to a subdomain without exposing them? The main domain is exposed.
For instance how can I use my *.domain.com SSL certs and NPM to route containers to a subdomain without exposing them? The main domain is exposed.
They do not. See my other reply about DNS verification.
Your response clearly states publicly accessible DNS. A CA does not require anything public for local SSL and can work in conjunction with whatever service they want for that which is public.
Fair, I don’t know why I read OPs post as asking for let’s encrypt certs. Internal CA is indeed an option.