We use cergen for certificate generation in the private repo in most places. We currently still use cassandra-ca-manager for Cassandra and should migrate to using cergen to keep in step with other projects.
Via T329951: Replace expiring Cassandra TLS certificates (restbase[1019-1027]):
"...we could try to use PKI for Cassandra? It would make the cert renewal process less tedious for sure, puppet would take care of most of the burden..." -- @elukey
"...we have an implementation of cfssl (see more details in https://wikitech.wikimedia.org/wiki/PKI/CA_Operations), I am proposing to add a new intermediate (like we did also for Kafka brokers) and use puppet to request certficates from it when needed (like when they are expiring etc..). We'd need to study a way to migrate the clusters over the new certs (and also clients using TLS, if any) but it should be doable :)" -- @elukey