CryptoPro is in your head ... I wish I had suffered)))
A lot happened - that’s why it’s not like a comment)))
I didn’t climb deeply, but ....
1. Private keys are never laid out anywhere . As far as I understand, based on the private key, a public key is formed, but it is built into the system (server). When a device\user enters the server, he is given a public key - WHO AM I. The device\user system checks whether the public key matches the set of parameters for identification and checks with the certificate authority.
Winda at hand?
start - run - mmc
file - add or remove snap - certificates - add - my user account - done - ok
Look - Trusted Root Certification Authorities - Certificates.
Windows will not swear at certificates issued ... how to say it right? ... firms ... services.
What will happen to your devices? if you don’t try, you won’t know)))
Browsers can suddenly have their own system ....
Yours

unwillingness to distribute the root cert on hrenalion machines

can lead exactly to this)))
Therefore...
Either you buy a certificate from a third-party certification authority in the hope that everything will work.
Either you install your center and install the OPEN certificate of the center everywhere. Then devices\users, having logged into the server, having received the public key, will contact your certificate authority with a check. Works only inside the company / enterprise or post instructions on how poor people can install a certificate in trusted certification authorities.

If I understand the essence of ssl correctly, I need a certificate that supports wildcard.

No.
The whole point of "widely known" CAs, the whole basis of their gigantic business, is the fact that their certificates are already listed as root certificates in all popular browsers. And none of them will ever issue you a SubCA certificate, which gives you the right to issue their own certificates, which will eventually be confirmed by them.
In a corporate environment - only your own CA, the certificate of which is distributed by politicians on Windows machines and manually on webmords, printers, etc.
Well, or buy for each device - if there is a lot, a lot, a lot of money ...
The private key is not laid out anywhere. It is generated once and lies where the certificate request was created, without getting into the CA. The certificate received from CA can confirm one domain, well, two (with www and without www). You can do more with SAN - but such a certificate costs a lot more ...

There are no other options other than your own CA. Dot. "unwillingness to distribute the root certificate on dokhrenillion machines" is not a reason to fence crutches in the infrastructure. The layout of certificates is easily automated, and I would suggest that you direct your efforts to just such automation, and not to inventing how to fence a garden with the organization of multi-tiered wildcard certificates.
As for "narrow-minded auditors" - gently hint to the authorities of your organization about the competence of such auditors who do not know what a corporate PKI is.