Our current "certificate management" process came out of Problem Management prior to moving to ServiceNow where we have replicated it.  We have many systems in use by various agencies which are not under the direct management of the central IT department (us) yet dependencies exist where certificate expiration has costly consequences across the enterprise.

A class was created, "Certificate", under the "Software" class. It looks like certificates captured by Discovery default to the Software class however the probes are not currently configured to capture our required attributes. Maturing the process is on the proverbial list 🙂

Required attributes currently are:

Name (that makes sense to a human)
Serial (for identification)
Expiration Date (to enable proactive behavior)
Support Group (to identify responsible and accountable staff)

Relationships are manually created for where the certificate is installed (server, appliance), what the certificate secures (application etc.), and any parent or root certificate that this cert may have been derived from.

A report of all Certificate CIs is emailed monthly to all  the Certificate CI Support Groups sorted by expiration date.

As Incidents occur and Changes come through Change Management with respect to certificates, results are are documented in the CMDB. This rudimentary process has encouraged compliance with change management and after eight years the unplanned outages have all but disappeared.

Next steps are to capture more certificates with Discovery and automate the creation and assignment of change orders prior to expiration.

Hope this helps?