As you can’t use LE certs, maybe try this:
You need to adapt the “triggering” of the script (Here done when LE renews), this is not needed with internal certs. I think “manual” triggering should be OK, as Neth doesn’t change the cert often…
As the source would be the local CA SSL certs, I think the correct SOURCE folder would be
/etc/ssl/certs… (SSL certs can be in different formats, I think here just use the .crt files?).
You’ll also need to adapt the TARGET to be your second server instead of the first server’s internal AD container. Use the same location as the SOURCE on server one, from where you copy the certs, but of course on server 2…
Don’t forget to exchange SSH Keys, so you can copy over via script without authentification…
Hope this helps…
My 2 cents
Andy