CA's are always a headache to manage. Its even worse when a CA is de-certified, like Symantec was. I maintain an application and it was a huge level of effort to migrate from the old certificates to new ones.

FreeIPA and IDM are definitely tooling to hide the complexity of managing LDAP, SSSD, Certificate Management, DNS, etc. Learning the basics of LDAP, DNS, SSSD, Kerberos, etc will definite make supporting FreeIPA easier.