From any domain user account, open certlm.msc.
Click Certificates > Personal > Certificates > All Tasks > Request New Certificate.
Click Next.
Click Active Directory Enrollment > Client access.
Note: Do the following if you do not want to use Active Directory Enrollment options:
Click Configured by You > Add New.
Enter the Enrollment Policy Server URI as CEP server address for either Username_Password or Kerberos Authentication.
Select Authentication type as Windows Integrated.
Click Validate Server.
After successful validation, click Add.
Click Next.
Select any template.
Click Details > Properties.
Click Enroll.
In the Subject tab, provide a fully qualified domain name (FQDN).
In the Private Key tab, select Make private key exportable.
Click Apply > Enroll.