Reminds me of @webprofusion's Feature requests for a new certificate server/API? as well.
I'm a fan of the concept, whatever the particular flavor/focus.
It would also be nice to have a modality where private keys don't touch the certificate server. Maybe when you setup a client initially, it authenticates to the certificate server with PAKE, generates and send off a CSR, then the certificate server just continually renews the certificate using that.
I think when you have like dozens or more servers in an org, not all of which are using configuration management, something like this makes big sense. In Kubernetes land, the centralized certificate store approach works very admirably. I think another solution which targets ad-hoc servers would be a hit.
I'm also vaguely wary that there might be something that overlaps with this kind of use case in the ACME wg, but don't recall exactly.