When another cert (a test letsencrypt cert in the screenshot) is set as default, slapd still uses the old one so it seems there’s no restart of slapd.
[root@testserver ~]# openssl s_client -connect localhost:636
...
i:/CN=NethServer/O=Example Org/ST=SomeState/OU=Main/emailAddress=root@localhost.localdomain/C=--/L=Hometown
...
After manually restarting slapd the correct cert is used:
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
It’s working with legacy server manager.