Hello,
I dont think what you are looking for is supported, i have not done this but i have read alot about it.
Cisco finesse only supports 1:1 mapping, where the external FQDN resolves the private IP , so you need a dedicated NAT mapping for the finesse
Now, regarding the Certificate, i dont think that is an issue, you can download the certificate and install it manually on any PC and it will be trusted, its like using a on-domain PC to access finesse.
Amer