Hi Rob,
>> To make changes will require a couple days' notice whereas today we had to move 8 sites to a different location (and IP) due to computer issues.
One of the goals of SSL is to prevent the site being "hijacked". In other words you know the server you're pointing to is the "real server". This by definition means
some name to ip scheme, with associated name to ip resolution & management (ie dns).
The sped with which you can move the server from one box to another is directly related to your ability to change the dns values.
You say the servers are on an intranet - but you didn't note if the _clients_ can access the internet. ie if your DNS settings are in normal internet servers, can the client get to them? if so then you would just put the names there, and set the ip to an _internal_ ip address. Only your clients would have access to those IP's so exposing the DNS entry won't expose the app itself.
Now theoretically it can take time for a DNS change to propogate, but in practice it's pretty quick. Especially if all the clients add the dns server you are using to their list of dns servers.
Alternatively you don't use DNS at all. Rather you set the ip address, to match the name, in the users' HOSTS file. This would take more management I think (actually sounds like a separate program running on their machine which gets the mapping from a central server you maintain would be required for it to be practical.)
Or, as you say, you have an internal DNS server which only serves these names, and you add this dns server to the list of dns servers used by all the client machines. Actually on a large intranet I'm surprised they don't do this already...
Cheers
Bruce