Create a request INF file. There are a lot of attributes that you can apply to the request. This is where all of the functionality of the certificate will go, the key length, the subject name, etc, but all of that will mostly be filled in by the the template anyways.
[NewRequest]
Exportable = TRUE
[RequestAttributes]
CertificateTemplate = "User"
Create the request file from the INF configuration:
certreq -new request.inf request.req
Submit the certificate to the designated Certificate Authority. If you do not specify one, then a pop up will happen so that you may select one from the list. This is not very stealthy
certreq -submit -config CAHostName\CAName request.req request.cer
Accept the new certificate into the certificate store of the current user. This isn't a required step but does help when exporting to get a complete certificate chain.
certreq -accept temp.cer
Source: https://stackoverflow.com/a/63201131
Listing certificates:
certutil -store my
Exporting it with Powershell:
You do need to get the $Thumbprint of the certificate you want first. You can do that with gci cert:\LocalMachine\My\
then selecting the certificate you wish to export from the list.
$mypwd = ConvertTo-SecureString -String $password -Force -AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\$Thumbprint -FilePath C:\corey.com.pfx -Password $mypwd