@AzureUser-9588 The first step would be to use KeyVault to store certificates which consuming services poll for updates. Then you would need a way to update the certificates in advance to ensure the latest are picked up by the downstream services.
KeyVault supports renewal of certificates as well for partnered CAs. For others, you could build a workflow to trigger on certificate expiry KeyVault Events and update certificates well in advance.
If you are using Let's Encrypt for your certificates, you could use a solution like keyvault-acmebot to handle things for you.