Reminds me of when our license for ElasticSearch was expiring, the process took so long (we wrote a countdown application to test out our local PaaS) that it had expired, and just silently turned off secure auth.

Seems totally reasonable to me.

If you can have such a structured, rote process then why isn't it just automated/self-serve? That is one thing I like about my medium-sized (public) company, you can't necessarily touch things yourself but you only wait in line for human attention if your request is somewhat unusual or actually calls for discretion and creativity.

"Because our users are irresponsible, and will order 1000's of dollars of externally signed certificates..."

shock horror maybe they might actually ... get more done and therefore need more stuff :D

"let's encrypt is not good enough, our customers are "enterprise", bla bla"