Same certificate to multiple hosts

Thank for such quick follow ups.
Our registra is dynodot, they are not listed at

supported registrars

Therefore,
it does not look like let’s encrypt will be able to do DNS-01 validation (even if I create the _acme-challenge for every subdomain we need).

our HTTP (port 80) is currently closed. So cannot do http-based validation. But will check, may be that’s the route we can take

WRT to the other points in my question. Thank you for clarification. It seems that I would have to use hooks in one of the clients, to follow the renewal with an execution of custom ‘toJKS’ and scp scripts.