It turns out that Centova is, in fact, building the certificate bundle Icecast needs correctly.
However, when it modifies the Icecast file, it is also arbitrarily assigning a new port number to use with the stream whether you had already set this up previously or not. In my case, we had hand modified the Icecast server.conf file so that the stream went out on port 8080. When I used the new TLS certificate feature, Centova rewrote my server.conf file to use the first unused port after 8000, which in my case was 8004.
This is useless behavior. It should at least tell you it's setting an arbitrary port number for TLS/SSL, and what that port is. You shouldn't have to go digging in the server.conf to find it. It should also NOT REWRITE the port number if it's already there, but instead make use of the existing SSL setting if there is one.
Ideally, there should be a field in the UI so that you can define which port number Centova should use for this, but there is no such field in the interface. Hurray for getting it working at all, guys, and congrats on getting a proper build for the certificate file via the UI, but to be usable, you're going to have to fix some things.