I replaced my internal CA and needed to replace all certificates, including the machine certs on my server core machines. I had to replace the domain controller certs, and some machine certs.

Now the simple as that may seem, one (like me) might think of the wrong options. You cannot eg. request a domain controller certificate if you are not a domain controller.

So the option is Auto Enrollment. Modify your default domain policy, or default domain controller policy and configure auto enrollment. Fire up Group Policy Management:
– Computer Configuration \ Windows Settings \ Security Settings \ Public Key Policies
– Enable Certificate Enrollment Policy
– Enable Auto Enrollment
– Computer Configuration \ Windows Settings \ Security Settings \ Public Key Policies \ Automatic Certificate Request Policies
– Enable Domain Controller and Machine

Now run a gpupdate /force, and your cert will be installed smoothly.