Renewing domain CA SSL/SSTP Certificate from non-domain Clients

I have a VPN setup using RRAS/SSTP to authenticate clients. However, some of the clients are connecting via personal computers which are not joined to the domain. Initial setup was done by manually remoting in to every client via TeamViewer and installing the necessary certificates. However, now the client cert is expiring and I'd like to find a way to streamline the renewal process so that I don't have to remote into every computer and so an average user can complete the process with a few clicks.

So far, it seems like this is a nearly impossible task. If the computers were domain joined, there are a few options to renew the cert automatically. But I am hitting roadblocks getting non-domain PCs to renew the cert via any method apart from manual intervention by me (getting average users to navigate through mmc/certmgr is not viable). Is there any way to make this work via some sort of renewal request or another tool?

CA is Windows Server 2012 R2, clients are all Windows 10, cert needing renewal is a Client Authentication type created using the Domain Controller Authentication template.