having to manually update the certs every 90 days for devices that can't run cerbot is a hard pass
You automate the sh*t out of it ... or at least as much as reasonably feasible.
E.g. I've often done script/programs that will easily and automagically install certs across many servers/devices of lots of different types and configurations, with just a single command. If you can do it manually from CLI, you can automate it.
I've also very well automated obtaining certs - again, simple quick command.
Combine those things and some reasonable checks/monitors/reminders or whatever else, and you've got something that's fully automated to do it all ... or at least pretty darn close.
You automate the sh*t out of it ... or at least as much as reasonably feasible.
E.g. I've often done script/programs that will easily and automagically install certs across many servers/devices of lots of different types and configurations, with just a single command. If you can do it manually from CLI, you can automate it.
I've also very well automated obtaining certs - again, simple quick command.
Combine those things and some reasonable checks/monitors/reminders or whatever else, and you've got something that's fully automated to do it all ... or at least pretty darn close.