The question I have is how would a domain admin include a custom SSL certificate of their own?

One of the reasons that SSL certificates are managed at the System level is because custom or third party SSL certificates need to be installed or copied to specific directories in the server itself. Even when SmarterMail manages its certificates, it has to generate them to the same location. The Windows side of things has to utilizes the Centralized Certificate Store for our automatic certificates to work and this requires setup on the server itself. 

Are you thinking a Domain admin should have the ability to disable SSL certificates for their own domain if the System admin allows it?

We have mitigations in place so our Let's Encrypt certificates can be generated without issue. There is also room to potentially include other Certificate Authorities in the future in case a client prefers one over another.

This is great.  Not all of my domains want to use Let's Encrypt certificates.  I specifically do not want to use Let's Encrypt for my servers as I have an expensive wildcard certificate for the primary interface, then I run my own CA to make certificates for my internal traffic.

For the life of me, I cannot recall how I got them installed in the first place, but I will be reminding myself in about 45 days when my wildcard expires.  I do know that I disabled the LE certificates in the SM interface.

It would be nice to be able to turn off LE certs per domain, as I have a couple of domain aliases which show as "unreachable" because the webmail and autodiscover hosts are not configured for those domains, as they are not necessary.

The root of my challenge is having more than one domain on a server and trying to manage each domain's SSL certs.  There also seems to be a bug since I'm seeing requests for 'subdomain.domain1.domain2.com' being requested!!