So, basically, all I need for this to work like I already expect it to work, would be for the letsencrypt routine to
a) add the nsdc-hostname.domainname.tld to the list of requested CN’s, or ‘Domains’ as they are called in the Gui
b) Next step is to simply copy the created certificate and key to the expected locations. Defaults are:
cp /etc/pki/tls/certs/localhost.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp /etc/pki/tls/private/localhost.key /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem (could probably be skipped)
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem (could probably be skipped)
Is there a way for me to “extend” that routine, or is this something that is within the range of possibilities to be added to the letsencrypt routine of AD account provider type installs ?
(Reason being: java and other services depend on a valid certificate, self-signed is a no-go. My hack is easy to forget (as @davidep remarked when I voiced my solution 
) and quite nescessary for proper AD functioning.)