PKI certificate issuance is a separate task from ConfigMgr and highly depends upon your PKI infrastructure. Without knowing all of the details of your PKI, not a whole lot can be said, i.e., this is almost certainly much bigger than a simple forum post could or should handle. I've added the Windows Server Security tag as well for visibility, because as noted, this isn't specific to ConfigMgr.
One additional note here is that there's nothing special about managed systems in a DMZ from a ConfigMgr perspective that requires them to use HTTPS communication. Thus, unless you already require HTTPS communication for all managed clients, you may not need to worry about this.