It shouldn't. There is no way to prove ownership of a domain, because everyone owns it. Both a genuine company and their attacker have the right to use the .internal TLD, so both should be granted a certificate. This makes it completely trivial for the attacker to MitM the company's TLS connections.

The only option to somewhat-securely run TLS would be to have the company run their own internal CA, and trust its root certificate on all internal clients.

I suspect you'd need to generate your own, unless they intend on allowing people to register them. It's hard to provide a SSL for the 100,000 different "tv.internal".