I think SCEP (Simple Certificate Enrollment Protocol) would be a great addition to the VyOS PKI functionality.
Instead of generating and manually installing certificates on each router, you have a SCEP process do it for you.

Most firewalls that support SCEP require a locally generated RSA key pair.
You then define the SCEP server URL, CRL location (if you want to check CRLs), any parameters for auto-renewing the certificate, and the certificate specific information (Alternate Names such as IP address, dns-names, etc).

Then just use SCEP to do the work! Request the CA certificate, generate a signing request via the info provided, send it to the SCEP server for signing. Then check back periodically to receive and install your new certificate.

This allows you to easily get certificates on new firewalls and build VPN tunnels with them. Realistically all the leg work can be done in the configuration, then automatically processed from there. It also allows you to use certificates with a short life span as they can easily be automatically rotated out. Just request a new certificate from SCEP and when you get it, override the old one and restart the ipsec process.

Here's a configuration example from Juniper -
https://supportportal.juniper.net/s/article/SRX-J-Series-Certificate-based-PKI-VPN-using-SCEP-Simple-Certificate-Enrollment-Protocol-in-a-Junos-device?language=en_US

Another example from Palo Alto -
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/obtain-certificates/deploy-certificates-using-scep

Fortinet and Cisco also have SCEP client implementations.

Ultimately I think this could be a great addition worth considering. It streamlines generating and managing larger certificate deployments.