As @Osiris says, only (1) on that list has to happen. There's absolutely nothing to do to "install" the new cert (with any of the popular clients, and certainly with certbot, the path to the cert and key files remains constant through renewals). If you insist on shutting down apache, the list would look like:
- Get new certificate
- Restart apache.
...which would give you about 2 seconds of downtime while apache restarted. But a better approach yet would be:
- Get new certificate
- Reload apache
...in which case you have no downtime at all.
What sort of problem do you anticipate that would cause this? If issuance fails, /etc/letsencrypt/live/yourdomain/cert.pem and the other related files will still point to the last-issued cert, so Apache runs just fine.
Yeah, I think you probably are.
Edit: But if you're convinced that you need to manually test and install each new cert, then I think you're right that you'd be better off with a different CA. LE is explicitly designed around the idea of automated issuance and renewal, and makes few (if any) concessions for manual use.