Is there a specific method or process to replace all of the certificates required in a Kubernetes 1.7 cluster? Is this even possible?

Client is worried about using certificate auth and not being able to revoke/blacklist certs properly if someone leaves.