You can’t use any publicly trusted CA if your domain is internal-only. More specifically, if it is a domain name you “made up” and not a public/ICANN domain. This practice was forbidden a couple of years ago by the CA/B forum.
If you own, say, example.com, and want to get a certificate for internal.example.com, that might still be possible via split-horizon DNS. You would internally resolve the domain to a different IP than from the public internet. The public DNS record would point to a server only used to solve the domain ownership challenge (this is where you would run the client, and then move the resulting certificate to your internal server).
Setups like that can be quite tricky; personally I would just establish an internal CA and deploy it to all clients (for example via Active Directory, or just manually if you don’t have many clients).