Walk me through the lifecycle of a certificate in a PKI system you designed. How did you handle revocation and rotation?