Then run "certbot renew" via cron once a day, it will renew the 90-day certificate automatically when it nears expiration. (obviously the FQDN in the third line above has to reach the server)
A simple dialog to create a new cert would only need the FQDN from the admin, then it could request a new certificate and automatically renew without any further intervention... (and without being overwritten every time there's an update, hopefully)
With the python-certbot-nginx package (and its dependancies) installed then it just takes "certbot --nginx -d host.domain.tld" and it will handle the entire process of signing a request, requesting a certificate, confirming control of host.domain.tld, retrieving the signed certificate, and installing it. (might need "--agree-tos" as well to run non-interactively, haven't checked) After than running "certbot renew" periodically will check if the certificate is nearing expiration and renew when needed. (90-day expirations IIRC)
So from a WebUI perspective we'd just need to specify or approve the FQDN and turn it loose and it could handle everything from then on. (assuming "certbot renew" is set up in a cronjob)
Certbot is a support program from certbot.eff.org (Electronic Frontier Foundation) while the certificates are issued by letsencrypt.org and trusted by every browser I've tried. (Mozilla and Chrome are among their sponsors)
If we already have a wildcard certificate or have paid for one specific to the cnMaestro on-premises FQDN then the UI to install them is great, but if we're going to request a new certificate for this host then I'd prefer LetsEncrypt for the automation and the free certificates.