Do these servers have publicly resolveable addresses? If they use an internal naming scheme, you can't obtain public CA certificates for them. You would need to create your own internal CA and install this CA's root certificate on your local machines.
If these servers use publicly resolveable addresses, but are not accessible over the internet (or you can't serve up specific files/access a shell/etc.) you will need to use another computer or a service like ZeroSSL to generate certificates using DNS challenges, and load these onto the servers in question manually, more frequently than the expiry period of every 90 days.
If it were me, and I was using publicly accessible names (and didn't want to set up an internal CA for some reason), I'd set up a public-facing simple nginx server or something to serve challenge responses and automatically renew certificates. Installing new certificates will depend on the specific server in question.