I'v used a shared dropbox folder with a KeePassX instance in it with a shared password for that container. If needed we could just change the password on the KeePassX container and/or remove the access to dropbox.
Used the same approach, but with a google drive document instead of dropbox. But you can't skip updating all (or at least, most of the perimetral ones ) passwords when a employee leaves (unless you trust him even after he leaves). If he made a local copy of the Keypassx file (or even pasted every password in a document, to cover most of the other alternatives) removing access to dropbox or changing master password will not stop him to keep accessing the old passwords. And the same goes with certificates.
Same goes for any centralized service you may use. You are still able to copy passwords manually into a text file, local keepass, etc. True, it is easier with a shared keepass, but the challenge is the same if you truly need to make sure a former employee can no longer access anything.