How do you handle certificate rotation for internal services at scale?

Running ~40 internal services behind a self-managed PKI. Certs are 90-day, and we're still doing rotation manually with a checklist. Last rotation we missed one service — it went down at 2am on a Saturday. We've looked at cert-manager with a private CA, but the internal DNS resolution for non-K8s services is messy. What's your setup? Are you using step-ca, vault PKI, or something else? Especially interested in approaches that cover both K8s and bare-metal services without a full Istio mesh.