You need a wildcard cert for ypur subdoman:
*.legal.example.com
Then point that record to 127.0.0.0. This will not resolve for anyone. But you’ll have an internal dns enty (useig pihole/adguard/unbound) that redirects to your reverse proxy.
You could also point to your revers proxy internal address instead of 127.0.0.0.
This video could help you: https://www.youtube.com/watch?v=qlcVx-k-02E
https://lemmy.world/comment/10089750
This is how I did it.