As a platform developer
I want to rotate client certificates for service users without downtime
so that I can maintain a proper security level and availability.

In order to rotate to new certificates while the old one is still valid, we need to create a new service user. Combining a predefined pattern for service user names and clever use of wildcards in ACLs makes this work, but it increases the number of active service users by 2-3x.
When Aiven services have a limit on the number of active service users, this 2-3x increase causes problems.

When a certificate expires, a new certificate is created, but the old one is still valid until it expires. We want to do something similar via the API.