Anyone who thinks this is that trivial has never worked in enterprise IT.

Automated certificate renewal is maybe supported by 10% of services I operate where I work. And we're pretty modern. An organization with more legacy platforms is likely at "nothing supports automated renewal".

We are a decade or two out from 47 day expiry being a sane concept.

This is exactly why CAs are slowly reducing cert validity.

With a 47-day validity already on the calendar for 2029, nobody in their right mind is going to onboard a new service/device without automated renewal in 2026. Same with any kind of contract renewal: are you going to risk staying with the current vendor who is "considering" supporting ACME "at some point in the future", or would you rather ask their competitor who already supports it to make you a nice deal to convince your manager?

Sure, automated cert renewal might be supported by 10% of services right now, but what is that going to look like a couple of years from now when 100% of businesses are pestering their vendors for it, and leaving for competitors if they can't deliver?

Can confirm. Have encountered many on-prem and lift-and-shift solutions with no automated means of updating certs. The worst contenders are usually 1) executables on windows server (version 2012, of course), 2) old, obscure or very outdated database servers and 3) custom hardware firewalls. They are the worst.

To make things easy they usually all use different cert formats as well, requiring you to have an arsenal of conversion scripts ready.

That's why I suggested that a week of dev time woule be reasonable for automating the task.

I work in a multinational nightmare corp, we still have a mission critical Win95 machine.