[eru]

Can't you have a limited wildcard?

Something like *.for-testing-only.company.com?

[kevincox]

Yes, but then you are putting more information into the publically logged certificate. So it is a tradeoff between scope of certificate and data leak.

I guess you can use a pattern like {human name}.{random}.internal but then you lose memoribility.

[8organicbits]

I've considered building tools to manage decoy certificates, like it would register mail.example.com if you didn't have a mail server, but I couldn't justify polluting the cert transparency logs.

[lacerrr]

Made up problem, that approach is fine.