Appendix: TODOs

Automate cert expiry monitoring — script or cron to check days-until-expiry weekly

Document CA submission process (AD CS web enrollment? email? portal?)

Create calendar reminder for next renewal (current expiry minus 60 days)

Evaluate: move from annual to 2-year certs if CA supports it

Evaluate: automate CSR generation and submission via ACME/Vault PKI

Document supplicant trust store update procedure (GPO for Windows, MDM for mobile)