Automatic certificate renewal by supplying old certificate

We’re looking to switch our CA platform and I was wondering whether Vault would be a good fit. We need the CA to issue initial end entity certs based on agent’s request. Those certs will be installed on hosts and from then on the hosts will be sending the renewal requests themselves. Thus the question, does Vault pki support issuing renewed certs based on old certs, assuming the CSR will be issued before expiration and signed by a still valid entity certificate (not by the “agent”)? I’m not referring to ACME renewals, if I understood it correctly, which would force CA/RA to contact the host back, as this is a tight shop and external connections are undesired. Wanted to know if this would be possible. I took a glance at vaultbot’s readme, but I fear it would require ACME/certbot-like DV procedure. Thanks.