this is all fine and good, if you are okay broadcasting your internal hostnames. I suppose it's a trade off some might make.
There's one way around that which is requesting a wildcard cert, but then that has its own rammifications
There's one way around that which is requesting a wildcard cert, but then that has its own rammifications