I feel your pain. Setting up SSL can be frustrating for sure!
The common name is the external URL - so tableauserver.mycompany.com. Enter this name into the hosts file on the local system and have it use the local IP and into your external DNS using the external IP.
I would recommend getting a SSL certificate from DigiCert. They have fantastic support and they will help you out. You won't need an intermediate certificate if you go with them.
If you do go the "bargain SSL" route and end up with an intermediate certificate, that cert goes in the chain file. That's what the chain file is for. Depending upon the cert type and the vendor, you may need multiple intermediates in the chain file. The order goes intermediate #1, intermediate #2, then root. It's a pain to do, and can be challenging to test. The other consideration is to be sure to test mobile devices. They have a more limited set of CA roots so your SSL may work on a desktop but give an error on a mobile device. Which is why you're better off spending a few extra dollars and getting a quality cert from DigiCert. No, I don't work for them, just a fan!
Thanks for the reply. When you say "Enter this name into the hosts file on the local system and have it use the local IP and into your external DNS using the external IP", what do you mean? What is the hosts file? It's not the openssl.cnf file buried in the apache directory of Tableau Server is it? As far as I can tell I'm not supposed to be doing anything with openssl.cnf because I am not doing a SAN certificate.
The hosts file is located at /etc/hosts if you're on a Linux server. It's a way to hardcode DNS entries at the server level. Typically you want to do this when the IP address of the server is a non-routable IP (ie 192.168.x.x, 172.16.x.x., 10.x.x.x) which is being NAT'd to a real IP address used on the Internet.