Certificate rotation suggestions and administrative purview

Hi everyone. I would like to hear how other people using Search Guard have tackled certificate rotations and team-level administration of your clusters. I’m sick of generating new certs by hand with our janky in-house PKI that our department has no purview over. What are your production setups like? How are you performing rolling upgrades? How many off the shelf tools are you using versus in-house tools?

By its nature, Elasticsearch can be deployed a billion different ways, and I find that there is a very distinct lack of life cycle descriptions of production clusters with Search Guard as its security layer.

And please, I can google just fine, and I can find strange and esoteric posts and mailing lists from all over the internet describing Elasticsearch implementations. We use Search Guard at my employer, and I would like to know how others are using it, including (as I just mentioned) how you are managing life cycles. I would also be interested in administrative delegation, if any of you have time.