[everforward]

Yes, because you want to know what certificates you're issuing. You could be automatically issuing and deploying certs on a system where the actual app was decommissioned. It's probably mostly a risk for legacy systems where the app gets killed, but the hardware stays live and potentially unpatched and is now vulnerable to a hacker taking it over.

With manual renewals, the cert either wouldn't get renewed and would become naturally invalid or the notification that the cert expired would prompt someone to finish the cleanup.

[ameliaquining]

This is what Certificate Transparency is for. If you want to know what publicly trusted certificates are being issued for whatever domains are of interest to you, that's how you find out. It has the important advantage of always working no matter how heterogeneous your stack is; the clients that request certificates do not need to be connected to any particular notification system.

[cortesoft]

Then you set up a process to monitor the certs that have been issued.