There are three ways of proving that you own a domain name and can thereby get a certificate for it:
Of those, the only one that doesn't need the name to be accessible to the complete Internet is the DNS-01 challenge, where you put a TXT challenge record in your DNS for the name to prove that you own it.
This gives a lot of flexibility, especially for cases like yours where the server isn't public. But in order to automate certificate issuance, you then need to be able to automate adding that TXT DNS record. Some DNS providers make this easier than others. If you say what DNS provider you're using we may be able to help you find more information about automating it.
The general way to automate getting certificates is through one of the clients:
It may take some trial-and-error to find one that works best for you. I'm not sure if you want something embedded within your application to get certificates, or if you just want some regularly-running script that creates whatever key and certificate files you need. (Java in particular sometimes is easiest to use with Jakarta Keystore files, which isn't a common output so you might need to do some additional conversion on the files you get from the client you use depending on what specific format your application needs.)
As I was trying to say, if the server isn't accessible from the outside then DNS validation is the way to go.
If the server IP is accessible to all and you can open port 80, then you can use HTTP-01 validation with something like certbot's standalone mode, where certbot spins up its own mini web server just to answer the challenge request.
But regardless that would just get you a certificate file; you might need to do some work to integrate that file into your Java application.