LE only offers one “type” of certificate - Domain Validation (DV) certs.
Which are an industry standard.
Unless your app requires a specific “type” of cert that can’t be serviced by a general purpose client authentication and server authentication cert, you should be able to use an LE cert (i.e CODE-SIGNING certificate).
That said, how you GET the cert may be more problematic, as you mentioned that the systems are in a closed network - presumably with no Internet access.
So you will need a couple of things:
- A domain name that can be authenticated (via DNS or HTTP or HTTPS) from the Internet.
- A system and means to get a cert - Internet connection required.
- A method to export the cert from that Internet connected system and import it into the closed network system(s) - and which will expire every 90 days.
Or you may want to re-evaluate the “trust” requirement of the cert used for your app.
If the systems are in a closed network (off-the-Internet), why not just create your own cert and have those systems trust it - and that private cert can expire in 50 years if you want. So you will only have to do it once.