Preface – I'm new to working in netsec but I have had experience with certificates as web dev, so I understand the basic concepts behind how certificate authorities and digital certificates work from that role. I'm also aware that X.509 certificates are used for a lot more than just providing HTTPS communication for websites.
My last company automated certificate deployment for hosts, but required manual processes for managing certs used by servers and applications. In my new org, I noticed from vulnerability scans that the environment has tons of SSL certificates that are untrusted (self-signed, unknown or unrecognized CA) or even years past expiration. As far as I am aware, the only trusted certs are the ones used for our websites, since those are managed by a different team.
Managing certs for hosts seems to be a very different beast and I'm confused on how to deal with this situation. The harder I look into it the more confused I become. I'm hoping there are some resources that could help point me in the right direction. Is there an industry standard for generating and managing certificates? Do organizations run their own CA using something like SimpleAuthority?