Thank you for your answer.
So, to confirm this before buying any SSL certificate, here's my scenario based on Deployment Assistant.
Active Directory forest root: contoso.com
Internal Exchange 2013 server host name: mail.contoso.com
External Exchange 2013 server FQDN: mail.contoso-inc.com
Primary SMTP namespace: *
User principal name domain: contoso.com
Microsoft Online ID domain: company.com
Internal Active Directory Federation Services (AD FS) server hostname (only for organizations choosing to deploy single sign-on): adfs.contoso.com
External AD FS server FQDN (only for organizations choosing to deploy single sign-on):
adfsproxy.company.com
On-premises Autodiscover FQDN: mail.contoso.com
Service tenant FQDN (You can only choose the subdomain portion of this FQDN. The domain portion must be "onmicrosoft.com".): contoso.com.onmicrosoft.com
Notice that my local AD domain name contoso.com is not internet routable, it's used locally only. My domain name that's internet routable is the company.com.
So, as I cannot use any wildcard cert, what and how many SLL certs do I need to buy from DigiCert for both ADFS and ADFS Proxy? What details should I pass to DigiCert for purchase?