>To connect all this together, our proxy hosts periodically query CertService for a list of recently modified custom domains. Each host then 1) fetches the new certificates from CertService, 2) writes them to disk, 3) regenerates a config like the one above, and 4) does a graceful restart of Apache. These restarts are staggered across our proxy pool so all but one of the hosts is available and receiving requests from the load balancer at any give time (fingers crossed).

How many pools are there? If you're having to restart apache every time you renew a cert, are they renewing certs in the background and then only restart apache when they have around a thousand renewed? If so, wouldn't the current running certs be revoked in that time? It seems like on-the-fly cert usage is something that could be made, if not already.