The documentation I found in a quick search out there, all want me to change lighttpd to use my own SSL certifcate.
But al least recent versions of the self hosted (None Container) instance, does no longer use lighttpd to serve there WebUI.
Now the pihole service self listen on Port 80 and 443.
karloff@Bessel:~$ ss -tulpen | grep pihole
udp UNCONN 0 0 0.0.0.0:53 0.0.0.0:* uid:999 ino:14263 sk:b cgroup:/system.slice/pihole-FTL.service <->
udp UNCONN 0 0 [::]:53 [::]:* uid:999 ino:14265 sk:e cgroup:/system.slice/pihole-FTL.service v6only:1 <->
tcp LISTEN 0 200 0.0.0.0:443 0.0.0.0:* uid:999 ino:16764 sk:1 cgroup:/system.slice/pihole-FTL.service <->
tcp LISTEN 0 200 0.0.0.0:80 0.0.0.0:* uid:999 ino:16763 sk:2 cgroup:/system.slice/pihole-FTL.service <->
tcp LISTEN 0 32 0.0.0.0:53 0.0.0.0:* uid:999 ino:14264 sk:3 cgroup:/system.slice/pihole-FTL.service <->
tcp LISTEN 0 200 [::]:443 [::]:* uid:999 ino:16766 sk:6 cgroup:/system.slice/pihole-FTL.service v6only:1 <->
tcp LISTEN 0 200 [::]:80 [::]:* uid:999 ino:16765 sk:7 cgroup:/system.slice/pihole-FTL.service v6only:1 <->
tcp LISTEN 0 32 [::]:53 [::]:* uid:999 ino:14266 sk:8 cgroup:/system.slice/pihole-FTL.service v6only:1 <->
To change SSL certficate you can edit /etc/pihole/pihole.toml and change inside [webserver] section the domain value to your needs, to get rid of some Warning.
You can also adjust inside [webserver.tls] section the cert path.
Your certiciate must be in a key and cert combined pem file, which can be created with only our certificate and the related key, it does not take any intermediate.
karloff@Bessel:~$ cat ssl-certficate.crt > /etc/pihole/tls.pem
karloff@Bessel:~$ cat ssl-certficate.key >> /etc/pihole/tls.pem
After creation tls.pem you can restart pihole-FTL service, reload alone does not change the certificate.