I know on a former commercial product I used the monthly machine account credential renewal had a "hook" parameter where you could specify an executable script to be called. It was designed to work with Samba, so that you could write the samba keytab file without Samba needing to access the /etc/krb5.keytab file.
Possibly sssd has such a post-rotate hook parameter as well.
That worked great for creating a Samba-viewable credentials.
However, it sounds like you're defining SPNs as alternate names for the host principal. I don't see how you could write a HTTP.keytab file or so with entries for HTTP/<service>@<domain> without embedding the credentials for the host principal (under the HTTP/ SPN of course).
Spike