Yesterday we had the WMF CA 2014-2017 expire without any kind of warning, causing the handful of certificates issued by it to expire, which in turn cascaded into a widespread monitoring tools and WMCS outage. We should monitor for the expiration of that CA, and warn sufficiently in advance in case of expiry.
Side note: I renewed the CA for another 3 years (2017-2020) rather than e.g. 10 on purpose, to make sure that these CA refreshing procedures are exercised often. I'd be inclined to make it even shorter.
While at it, we should also make sure other internal CAs are monitored as well. The Puppet CA, which is used more as a general purpose CA these days, also immediately to mind.