Write a transition aid.
Allow the admin more control over what is happening.
Give the admin a way of updating single certificates, or all of them.
Move away from debconf.
Make it a non-native package.
Implement packages suggesting Unit. (i.e. support for Unit: or Purpose: to 
suggest a value for OU in cert)
Implement forcing a service certificate? (i.e. the package REALLY wants a 
single certificate for it's service.)