Install a full PKI. It is convenient to use smart cards (usb tokens are more common in Russia) to generate a key pair and store it together with a certificate. To manage these smart cards, you need a CMS - Card Management System.
Delivery can be independent. For example, after logging in to the self-service portal using a domain login-password, a user automatically receives all the necessary certificates on a smart card.
After that, CMS independently monitors the need to renew certificates and reminds the user about it.
I implemented such issuance of certificates on OpenTrust PKI + OpenTrust CMS.