This will be fun to try, thank you! I think it will make it much more straightforward for people to convert play into product, using charms to spin things up that are interesting and then moving them into production with your cert management tooling.
I’m rather allergic to wildcard certs, or perhaps just old fashioned 
I’m interested in whether an interface could be created on the workload charm to handle HTTP-01 challenges? As you say, it would be the workload that would need to respond, but if the workload itself was integrated with the cert management tooling, then it could do so.
There’s a small typo on one of your interface names near the top of the post, “certitificates”.