For instance how can I use my *.domain.com SSL certs and NPM to route containers to a subdomain without exposing them? The main domain is exposed.
Your response clearly states publicly accessible DNS. A CA does not require anything public for local SSL and can work in conjunction with whatever service they want for that which is public.