Hello,
I am using Certbot to retrieve certificates for the domain: "mycompagny.fr".
These certificates will be installed on Internet and Intranet sites.
So I need to use the ACME DNS-01 validation method.
Unfortunately I do not have an API to manage the "mycompagny.fr" zone.
On the other hand, I have an account with "Gandi.net" and I'm able to create and manage domain names via their API.
For example, I can create these zones: "acme-mycompagny.fr" or a sub-zone "acme.mycompagny.fr" in the Gandi.net interface.
I have only ever used the certificate manager in pfSense with aliases. It is built on acme.sh. Even if you choose another ACME client, their wiki entry may help you with the concept and structure.
If you choose acme.sh, note that you need to update the configured CA to use Let's Encrypt. They switched their default CA to ZeroSSL in August 2021.
The general idea is to create a CNAME record for _acme-challenge.subdomain.<yourdomain> and point it to a corresponding TXT record (which may not exist yet) in any other zone that you can easily update, then have your client add/update the target TXT record and value, then continue with domain validation as normal.
It does depend on the acme client, because they may need to know how to translate either the full record name or the partial name depending on how DNS provider APIs are implemented (some expect to know the destination zone they are looking up which is different to the domain you are getting the certificate for). In Certify The Web we call it a CNAME delegation rule DNS Validation (dns-01) | Certify The Web Docs