The path you take should get you to where you want to be.
Right now that ending location is a bit unclear (to me), so I can't offer my best advice.
You say you want another cert for another internal system. But who will be accessing that system?
If it includes anyone from the Internet, then you will have a problem with "port sharing".
You choices there are to use a different unique port for each internally secured system.
Accept all HTTP/HTTPS to a single device and have it proxy the requests to their final destinations.
If you only want to access the systems within your own internal LAN, then you need to worry about the method used in getting the second cert.
In either case, you will need to address the name to IP situation:
On the Internet side - they will all resolve to the same external IP.
On the internal LAN side - they should resolve to their unique LAN IPs.
This can be solved by using an internal DNS system or hardcoding all the IPs into all the systems that need such access or using a firewall/router that supports "hair-pinning".
Understand that the cert will only "work" for URLs with the name in it.
That means: Access to IPs (HTTPS://192.168.10.10/) will not be secured with any LE cert.