PKI: Cloud, On-Premises or Hybrid

How do I determine what is the correct certificate authority (CA) hierarchy for my business? Even if I get my design correct now, how do I ensure it’s not obsolete in five years’ time? What if the company is divested or what if we merge with another company, how will this impact our certificate authority (CA) hierarchy and PKI design.

I need to be sure that my design is compliant with all the regulatory and legal requirements for my particular business. How can I be sure that I have a fully compliant design that will satisfy a stringent audit?

I have a certificate estate that is spread over a vast area, most of the certificates are about to expire, a lot of them I know are none compliant.
Almost all of them are manually provisioned and I desperately need a way to centrally manage them.

Furthermore, I need a way to ensure that any new compliant certificates do not break the applications that rely on them, (we can help).