Hi expert

I am in the process of deploying D365 on-premises environment and I have few question need to be cleared before starting.
We have 2 domains ABC.com and XYZ.com. The original license and all user IDs are under ABC.com.
But we have selected the XYZ domain for deploying the SandBox. Since ABC is located in a different country.
Under which domain name should I purchase the certificate and will it create any issue when going for a Production environment?
How do I apply it, Enterprise User, Functional User, Task User, Self-Serve User from the admin portal to on-premises.

Please suggest me the right path.

Thanks

Sona Jee