Difficult as SSL certs presented on sockets only work (trusted) for one or a couple of domains (only if you own those domains).
You cant create a cert that can be used for all 100k+ blocked domains from the Pi-hole lists.
My best bet, have your system configured with two IP addresses and bind daemons and vhosts to those particular IP addresses.
So one IP address for Pi-hole to return the block page and a blank page instead of an ad (plus iptables rules to reject 443 TCP trafic).
And another IP for hosting your vhost web sites behind a cert.
Below posting describes how to use "IP aliasing" to add another secondary IP address and how to bind dnsmasq and lighttpd:
And I even tried squeezing all 100k of blacklisted domains into a SAN cert but no success:
EDIT: forgot to mention, if your system got another second interface, you can use that one too for binding the daemons and vhosts.