Presumably, by "intranet certificate", you mean a certificate that's issued to a local host name (e.g. "sqlserver
" or "mail
") or a private IP address.
There's one simple solution to this: use fully qualified domain names, even in an intranet. The clients connecting to your intranet servers will need to use the FQDNs too, but that's generally not very difficult. There's also nothing to prevent you from making your DNS resolve myinternalserver.mycompany.com
to any IP address you'd like, including private IP addresses, even if the DNS servers are hosted outside your company's network. (For SSL/TLS verification, you don't even need reverse DNS to work, so that's not a problem.)
Managing your own CA is also a solution, but it can be quite a bit of administrative burden (depending on the size of your environment).
(From a security point of view, I think these intranet certificates shouldn't really exist anyway, since two completely different entities may be issued with distinct certificates valid for the same (relative) identity.)