Technology

manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.

Aren't they RFC8555-compatible?

Yep, seems so:

ACME Directory URLs – Get certificate-level automation for Extended Validation (EV) and Organization Validated (OV) certificates. Manage multiple ACME clients, running on Windows or Linux so you can efficiently automate certificate delivery regardless of the quantity of certificates you’re managing. Improve the security of using ACME in your network through our CertCentral discovery sensors. The sensor is an extra layer of security, ensuring the ACME client doesn’t directly speak to an unsecure third party.

If you search for RFC8555 or ACME, you may find a tool you can use that may be compatible for renewing Digicert certs automatically.

I'd love to actually help, but honestly I knew the RFC offhand (correction; I was close but off) and googled the rest myself, so dragging the problem to ACME - like RFK dragging the carcass of a deer back to his sedan - is the best I can do for you today.

Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn't particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let's Encrypt.

I'm in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.