There are three ways of proving that you own a domain name and can thereby get a certificate for it:
Of those, the only one that doesn't need the name to be accessible to the complete Internet is the DNS-01 challenge, where you put a TXT challenge record in your DNS for the name to prove that you own it.
This gives a lot of flexibility, especially for cases like yours where the server isn't public. But in order to automate certificate issuance, you then need to be able to automate adding that TXT DNS record. Some DNS providers make this easier than others. If you say what DNS provider you're using we may be able to help you find more information about automating it.
The general way to automate getting certificates is through one of the clients:
It may take some trial-and-error to find one that works best for you. I'm not sure if you want something embedded within your application to get certificates, or if you just want some regularly-running script that creates whatever key and certificate files you need. (Java in particular sometimes is easiest to use with Jakarta Keystore files, which isn't a common output so you might need to do some additional conversion on the files you get from the client you use depending on what specific format your application needs.)