In November of 2015 the CA/Browser Forum (CA/B) published that public certificate authorities were supposed to stop issuing certs for internal names or private IP addresses after July 1, 2012.

Guidance on Internal Names - CAB Forum

Internal Server Name SSL Certificate Issuance After 2015​

Replace Your Certificates for Internal Names | DigiCert Blog

You just need a simple web server cert installed on the connection servers for something like vdi.example.com using a public domain that you own.

1. Do you own a external domain that you can purchased a SSL cert for?
2. Do you run a internal DNS server that you can configure split DNS on for the external domain?
3. How many connection servers do you have?
4. Do you have a load balancer?
5. Is tunneling enabled on the connection servers?
6. What display protocol are you using (Blast, PCoIP)?
7. What clients do you use (Horizon Client, Zero/Thin client, HTML access)?

If you have two connection servers (cs1.company.local and cs2.company.local) you could purchase a single web server cert named vdi.company.com with SAN entries for vdi.company.com, cs1.company.com and cs2.company.com (Do this regardless of if you have a load balancer). Then install that cert on the load balancer (skip this if you don't have one), both connection servers and configure split DNS to resolve vdi.company.com to the internal IP of the load balancer, cs1.company.com to the internal IP of cs1 and cs2.company.com to the internal IP of cs2. You should not create public DNS entries that resolve to the private IP address. Replacing the SSL certificate is just a matter of importing it into the cert store on each connection server, removing the "vdm" friendly name from the existing cert, adding the "vdm" friendly name to the new cert and restarting the connection server services.