1. Create a subzone in DNS - for example nethw.%companydomain.local%.
2. Create DNS entries in it for each device in order to address them by DNS name.
3. Issue wilcard certificate for *.nethw.companydomain.local
4. Add it to all devices.

No way. And there is no need.
Certificates are not a noob topic and never will be. Any piece of iron can generate self-signed - nafig you don’t need to put a generated one on it - it only adds crap and the switch can hang up. And the procedure for installing a certificate on different switches is very different from each other.
Putting generated certificates is only from the desire to go to the glands by the beautiful name "switch1-1-1.zhopa.ruchka", and not at the address - otherwise there is no point. And for beauty - all switches must first be entered in DNS, to support it. Yes, this can be done if there is nothing else

In order not to bother with ADCS, you can use XCA.
Import the generated XCA root certificate into the domain root store by executing the command as a domain administrator on any domain member computer:
certutil -f -dspublish "DOMAIN ROOT CA.crt"
RootCA devices. The new domain includes suffixes of the network interface in DNS by domain policies.