That was a long title.
Now, down to business. I ran these commands on macOS so they may vary a bit if you’re on another OS.
After installing certbot, go ahead and generate a new cert using:
certbot certonly --manual --preferred-challenges dns --email administrator@domain.com --domains domain.com
This will give you a DNS challenge which basically means adding a TXT record to your domain, please double check the new record has been propagated before continuing, I use the following website: https://www.whatsmydns.net/
After that, certbot will tell you where the files were saved, I recommend copying them out of /etc/.
You can now generate the PFX cert using openssl:
openssl pkcs12 -export -out certificate_fullchain.pfx -inkey privkey.pem -in fullchain.pem