You are using Cisco IOS router right? or ASA/FTD?
If using hub and spoke, the recommended approach would be FlexVPN or DMVPN, assuming you are using a cisco router. Cisco considers crypto maps as legacy. Most up to date cisco documentation for cisco IOS router VPNs, is based on FlexVPN and to a lesser extent DMVPN.
What certificate authority are you intending to use IOS router, Microsoft CA or?
FlexVPN certificate authentication
IOS Router certificate enrolment