Hi @Salves
My first comment is if your new domain is .local, then be careful with Apple based devices, as they will not be able to access this domain, as .local is reserved as defined in the DNS RFCs.
If you install a Microsoft Enterprise CA, it can be used to sign domains that are not the same as the domain name of the AD. The CRT file or request just needs to include the required URL that the CA will sign.
Gary.