Oracle, RHEL, Windows Server, AWS-hosted sites. you name it, we probably have it.
allowing systems to directly retrieve their own certs is going to be unpalatable to org leadership (though i'm still keeping it in the list as 'possible') as we already have serious issues with shadow IT inside the enterprise. Forcing web admins to go through our central IT office is one of the control methods we are using to keep a lid on rogue developers.