It is great that you can now centrally manage your certificates from within Octopus Deploy. I am using this for managing the bound https cert in IIS sites and it works great.

One drawback we've found is that if a certificate is replaced, you have to re-deploy the project again to apply the new certificate. Our deployment process is quite lengthy and involved, turning services on and off causing at around 10-15mins of downtime of our system.

Ideally, we would be able to push a new certificates to any tentacle that has the old certificate, without triggering a deployment of all the services. Bonus points if this also updated the new certificate thumbprint in IIS as well.

It might be expected that you must re-deploy to install the new certificate, I just personally find that it causes significantly more down-time that it could be, if only the certificate was pushed.