Any change to a certificate would require the making of a new certificate.
Simply add the new FQDN to the last request - thus increasing it by that one name.
And receive a new cert with the new and old names in it.
Like this one (one cert with two names):
There are three ways to authenticate cert requests.
But only one will work for sites that are not publicly accessible = DNS.
You will have to be able to update the DNS zone for that name (via an ACME client).
Essentially similar to obtaining a wildcard cert.
Read through this doc and see if your DNS provider is listed: User Guide — Certbot 2.7.0.dev0 documentation
If not listed, there may be other clients that may work with your DNS provider.
Otherwise you may have to get very creative...
Like allowing Internet access to that name; but having it NOT actually reach that site. Just enough to get the authentication. But that would depend largely on how your systems are setup and separated from each other and the Internet.
One other method could be to only allow port 80 access from the Internet to that name and use that for the authentication. And use the new cert on port 443 but on an IP that is not even accessible from the Internet or on a completely separate server.