Creating a dynamic SSL cert infrastructure for VMs/containers in sub-domains, some of which are intermittently air gapped

I am requesting help to create an infrastructure for dynamic SSL certs for use in containerized environment on multiple sub-domains of myrootdomain.com, some of which may have intermittent internet access. Let me explain.

1. We registered myrootdomain.com (not the real name, obviously) as a root domain.
2. We will have multiple sub-domains, e.g., sub1.myrootdomain.com, sub2.myrootdomain.com, etc.
3. Most of those sub-domains will be on-prem in various countries around the world.
4. We need the ability for these on-prem solutions to create dynamic SSL certs for VMs and containerized services, even when the on-prem network is disconnected from the internet.
5. These on-prem networks will be immutable Infrastructure as Code and these dynamic SSL certs will have short TTLs, as the containers are never intended to live long.
6. This would need to function in an air gapped environment.

We initially thought that we could purchase an SSL cert for the myrootdomain.com domain, then from that "parent" SSL cert on myrootdomain.com generate an intermediate cert for each sub-domain, from which we could generate dynamic SSL certs for the containers and VMs. As containers and VMs are destroyed, so are their certs. As containers or VM are spawned, a new SSL cert based on the intermediate cert of the sub-domain, would be generated and assigned. This would need to function in an air gapped environment.

What type of cert is needed on the myrootdomain.com domain? What type of certs are needed on the sub-domains? Where can I find some references for this use-case? Thank you for your time.

We reached out to 101domain.com (where the domain is registered) SSL support who told me we would have to regenerate the SSL cert on the root domain every time. I know that is incorrect, so we escalated the ticket to the engineers. I'm waiting on their response. In the meantime, I thought I'd ask the community.

I've Googled all manner of dynamic SSL certs on containers and VMs, but I haven't found anything relating to building the infrastructure for it or the type of certs needed. I'm sure it's because I am not using the right buzz words in my searches. You don't know what you don't know.

You would need a subordinate CA certificate if you wish for the certificates to be recognized by clients without specific configuration on the clients.

As you want this subordinate certificate to be able to issue certificates only for names under a specific domain, a Technically Constrained Subordinate CA Certificate, as defined by the Baseline Requirements would be enough for you.

I couldn't find a CA selling them through a quick search, but you might need to contact them. It will most certainly come with constraints on how you can store the key for this certificate and what kind of certificate you can issue through it, which will be regularly audited by the CA.

If this is only meant for clients you control, setting up your own pki and adding it to your clients might be easier.