I recommend to have all services in the DMZ do their config locally and just expose there service via 80/443. Way easier to handle.
For the front-end reverse proxy have a look at haproxy. There you can then provide your validated certificate to the clients.
Internal clients should also callout to the central reverse proxy (local DNS server or entries in hosts file).