I actually wrote
a blogpost about this. This one is about ACME, which could be handy, but for endpoints I'd recommend using SCEP (to not expose any unnecessary ports and such).
Smallstep is creating a very handy SCEP server, which could serve as an intermediary CA to serve new certificates. Implementation guidance for SCEP
here. If you need more information about setting up an intermediary CA for this, feel free to reach out