RDweb certificate issue

I have a problem with the following system:

• There is a Windows 2012 R2 TS farm with 2 node, a gateway and a broker
• It's available externally from login.example.com
• There is an AD too, the TS farm servers are member servers, the AD domain is example.local

The problem: I would like to allow users to access this system without any warning or any certificate installation requirements. The computers are non-AD computers and there is no way to make them AD-member.

Things what i tried or thinked around:

• I tried to get a free StartSSL certificate to login.example.com but after I installed it, the TS session starting broke because name mismatch.
• I tried to make a selfsigned certificate that was issued to tsgw.example.local but the problem was opposite: even if I installed the cert, browsers complained about name mismatch.
• As I know, there is no public CA what allow to issue a cert with public common name, but a private altname/additional DNS name.
• The forums / SO/SF topics what I discovered are recommends to make a private CA and issue a cert with that (it's able to issue cert to both name) but it's our last plan, because we really don't want to force users to install a CA certificate to use our service (as they're non-AD computers, there is no automatic way to enforce trusting our CA) if there is a way to avoid that.

Is there any solution for this problem? I would like be satisfied if there is a way to enforce RDweb to ignore name mismatch.