You're absolutely right, at the enterprise level, managing an SSL fleet goes far beyond just issuance, and you can't assume the certificates you're issuing are the only ones that exist.

Shameless plug: if you need to cut through the noise of thousands of certs across thousands of hosts, there's https://sslboard.com

Shame this isn't open source or some open source equivalent

To be honest, it's rather difficult and costly to run, with a 1.5B rows database of indexed unexpired certificates and a scanning job that took weeks from dozens of IPs.

Oh so this is only cloud hosted service, no on-prem option?

The CT Log scanning infrastructure is cloud based (rather bare metal actually), the application db, service, and Host scanning can be on-prem. An exceptional enterprise customer could convince me to offer a 100% on-prem solution

Helo and thank you to point out this tool I ignored before.

There is an opportunity to improve the tool then I added this feature as wanted feature in the plan as certmate dev :)

Most "homelabs", self hosters or small outfits would already use something like Traefik or Cloudflare tunnels with auto cert management.

Their main concerns are getting browser "unsafe" warnings disappear and keep it so. They want nothing to do with cert issuance or renewal.