I am making architecture of system with multiple servers and clients. >300 units in total.

Currently busy with Security. And want to make use of CA.

The main question is not clear for me is how it is simplifying managing certificates? Why "When a Digital Certificate expires and is replaced, the administrator will only need to replace the expired Digital Certificate (Public Keys and Private Keys), there will be no need to copy a Public Key to any locations." (Part 2, 8.1.3.)

It is not completely clear for me the big picture of how Certificate Authority should work. My wish is to integrate with existing in company systems (EJB-CA). So, we can have central place to manage all certificates and access. And automate is as much as possible.

Should I make (Global) Discovery Server with UI where administrator manages certificates(create, update and distribute), access and permissions?

What is the "best practice" for this?

Should I provide more information?