[birdman3131]

One of the arguments to be made is that while " automation reduces the possible human errors." it also reduces the amount of human oversight as well.

[9dev]

Oversight over… what exactly? TLS certificates don't need human oversight. If you want to see which certificates have been issued for your domains, set up certificate transparency monitoring. But thank goodness we're past paying people for comparing certificate checksums.

[nikanj]

Schrödinger's certificates are so mundane they don't need human oversight, but are so precious they need to be renewed every 47 days

[9dev]

Your point is..? That applies to a lot of automatically maintained infrastructure, and it works just fine.

[auguzanellato]

Do you really need more oversight on renewals than a simple success/failure notification?

For new certificate you can keep the existing amount of human oversight in place so nothing changes on that front.

[everforward]

Yes, because you want to know what certificates you're issuing. You could be automatically issuing and deploying certs on a system where the actual app was decommissioned. It's probably mostly a risk for legacy systems where the app gets killed, but the hardware stays live and potentially unpatched and is now vulnerable to a hacker taking it over.

With manual renewals, the cert either wouldn't get renewed and would become naturally invalid or the notification that the cert expired would prompt someone to finish the cleanup.

[ameliaquining]

This is what Certificate Transparency is for. If you want to know what publicly trusted certificates are being issued for whatever domains are of interest to you, that's how you find out. It has the important advantage of always working no matter how heterogeneous your stack is; the clients that request certificates do not need to be connected to any particular notification system.

[cortesoft]

Then you set up a process to monitor the certs that have been issued.

[FuriouslyAdrift]

No better way to create errors at scale than automation ;-)