diff --git a/internal/policies/manager.go b/internal/policies/manager.go
index 7f1227374..953ef5f75 100644
--- a/internal/policies/manager.go
+++ b/internal/policies/manager.go
@@ -54,7 +54,7 @@ import (
 
 // ProOnlyRules are the rules that are only available for Pro subscribers. They
 // will be filtered otherwise.
-var ProOnlyRules = []string{"privilege", "scripts", "mount", "apparmor", "proxy"}
+var ProOnlyRules = []string{"privilege", "scripts", "mount", "apparmor", "proxy", "certificate"}
 
 // Manager handles all managers for various policy handlers.
 type Manager struct {
@@ -107,6 +107,7 @@ type options struct {
 	gdm           *gdm.Manager
 
 	apparmorParserCmd []string
+	certAutoenrollCmd []string
 }
 
 // Option reprents an optional function to change Policies behavior.
@@ -120,6 +121,14 @@ func WithCacheDir(p string) Option {
 	}
 }
 
+// WithStateDir specifies a personalized state directory.
+func WithStateDir(p string) Option {
+	return func(o *options) error {
+		o.stateDir = p
+		return nil
+	}
+}
+
 // WithDconfDir specifies a personalized dconf directory.
 func WithDconfDir(p string) Option {
 	return func(o *options) error {
@@ -152,6 +161,14 @@ func WithRunDir(p string) Option {
 	}
 }
 
+// WithShareDir specifies a personalized share directory.
+func WithShareDir(p string) Option {
+	return func(o *options) error {
+		o.shareDir = p
+		return nil
+	}
+}
+
 // WithApparmorDir specifies a personalized apparmor directory.
 func WithApparmorDir(p string) Option {
 	return func(o *options) error {
@@ -201,6 +218,14 @@ func WithSystemdCaller(p systemdCaller) Option {
 	}
 }
 
+// WithCertAutoenrollCmd specifies a personalized certificate autoenroll command.
+func WithCertAutoenrollCmd(cmd []string) Option {
+	return func(o *options) error {
+		o.certAutoenrollCmd = cmd
+		return nil
+	}
+}
+
 // NewManager returns a new manager with all default policy handlers.
 func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts ...Option) (m *Manager, err error) {
 	defer decorate.OnError(&err, i18n.G("can't create a new policy handlers manager"))
@@ -266,11 +291,15 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts
 	proxyManager := proxy.New(bus, proxyOptions...)
 
 	// certificate manager
-	certificateManager := certificate.New(backend.Domain(),
+	certificateOpts := []certificate.Option{
 		certificate.WithStateDir(args.stateDir),
 		certificate.WithRunDir(args.runDir),
 		certificate.WithShareDir(args.shareDir),
-	)
+	}
+	if args.certAutoenrollCmd != nil {
+		certificateOpts = append(certificateOpts, certificate.WithCertAutoenrollCmd(args.certAutoenrollCmd))
+	}
+	certificateManager := certificate.New(backend.Domain(), certificateOpts...)
 
 	// inject applied dconf mangager if we need to build a gdm manager
 	if args.gdm == nil {
diff --git a/internal/policies/manager_test.go b/internal/policies/manager_test.go
index ebd8a323e..370589c9c 100644
--- a/internal/policies/manager_test.go
+++ b/internal/policies/manager_test.go
@@ -56,12 +56,13 @@ func TestApplyPolicies(t *testing.T) {
 		"Second call with no subscription don't remove scripts if session hasn’t ended": {policiesDir: "all_entry_types", secondCallWithNoSubscription: true, scriptSessionEndedForSecondCall: false},
 
 		// Error cases
-		"Error when applying dconf policy":     {policiesDir: "dconf_failing", wantErr: true},
-		"Error when applying privilege policy": {makeDirReadOnly: "etc/sudoers.d", policiesDir: "all_entry_types", wantErr: true},
-		"Error when applying scripts policy":   {makeDirReadOnly: "run/adsys/machine", policiesDir: "all_entry_types", wantErr: true},
-		"Error when applying apparmor policy":  {makeDirReadOnly: "etc/apparmor.d/adsys", policiesDir: "all_entry_types", wantErr: true},
-		"Error when applying mount policy":     {makeDirReadOnly: "etc/systemd/system", policiesDir: "all_entry_types", wantErr: true},
-		"Error when applying proxy policy":     {noUbuntuProxyManager: true, policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying dconf policy":       {policiesDir: "dconf_failing", wantErr: true},
+		"Error when applying privilege policy":   {makeDirReadOnly: "etc/sudoers.d", policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying scripts policy":     {makeDirReadOnly: "run/adsys/machine", policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying apparmor policy":    {makeDirReadOnly: "etc/apparmor.d/adsys", policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying mount policy":       {makeDirReadOnly: "etc/systemd/system", policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying proxy policy":       {noUbuntuProxyManager: true, policiesDir: "all_entry_types", wantErr: true},
+		"Error when applying certificate policy": {policiesDir: "certificate_failing", wantErr: true},
 	}
 	for name, tc := range tests {
 		tc := tc
@@ -82,6 +83,8 @@ func TestApplyPolicies(t *testing.T) {
 			sudoersDir := filepath.Join(fakeRootDir, "etc", "sudoers.d")
 			apparmorDir := filepath.Join(fakeRootDir, "etc", "apparmor.d", "adsys")
 			systemUnitDir := filepath.Join(fakeRootDir, "etc", "systemd", "system")
+			stateDir := filepath.Join(fakeRootDir, "var", "lib", "adsys")
+			shareDir := filepath.Join(fakeRootDir, "usr", "share", "adsys")
 			loadedPoliciesFile := filepath.Join(fakeRootDir, "sys", "kernel", "security", "apparmor", "profiles")
 
 			err = os.MkdirAll(filepath.Dir(loadedPoliciesFile), 0700)
@@ -102,13 +105,16 @@ func TestApplyPolicies(t *testing.T) {
 				hostname,
 				mockBackend{},
 				policies.WithCacheDir(cacheDir),
+				policies.WithStateDir(stateDir),
 				policies.WithRunDir(runDir),
+				policies.WithShareDir(shareDir),
 				policies.WithDconfDir(dconfDir),
 				policies.WithPolicyKitDir(policyKitDir),
 				policies.WithSudoersDir(sudoersDir),
 				policies.WithApparmorDir(apparmorDir),
 				policies.WithApparmorFsDir(filepath.Dir(loadedPoliciesFile)),
 				policies.WithApparmorParserCmd([]string{"/bin/true"}),
+				policies.WithCertAutoenrollCmd([]string{"/bin/true"}),
 				policies.WithSystemUnitDir(systemUnitDir),
 				policies.WithProxyApplier(&mockProxyApplier{wantApplyError: tc.noUbuntuProxyManager}),
 				policies.WithSystemdCaller(&testutils.MockSystemdCaller{}),
diff --git a/internal/policies/testdata/TestApplyPolicies/golden/no_subscription_is_only_dconf_content/var/cache/adsys/policies/hostname/policies b/internal/policies/testdata/TestApplyPolicies/golden/no_subscription_is_only_dconf_content/var/cache/adsys/policies/hostname/policies
index 65c86435b..0fa3a5d6a 100644
--- a/internal/policies/testdata/TestApplyPolicies/golden/no_subscription_is_only_dconf_content/var/cache/adsys/policies/hostname/policies
+++ b/internal/policies/testdata/TestApplyPolicies/golden/no_subscription_is_only_dconf_content/var/cache/adsys/policies/hostname/policies
@@ -9,6 +9,10 @@ gpos:
                 usr.bin.bar
                 nested/usr.bin.baz
               disabled: false
+        certificate:
+            - key: autoenroll
+              value: "7"
+              disabled: false
         dconf:
             - key: path/to/key1
               value: ValueOfKey1
diff --git "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/var/cache/adsys/policies/hostname/policies" "b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/var/cache/adsys/policies/hostname/policies"
index 65c86435b..0fa3a5d6a 100644
--- "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/var/cache/adsys/policies/hostname/policies"
+++ "b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/var/cache/adsys/policies/hostname/policies"
@@ -9,6 +9,10 @@ gpos:
                 usr.bin.bar
                 nested/usr.bin.baz
               disabled: false
+        certificate:
+            - key: autoenroll
+              value: "7"
+              disabled: false
         dconf:
             - key: path/to/key1
               value: ValueOfKey1
diff --git a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/var/cache/adsys/policies/hostname/policies b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/var/cache/adsys/policies/hostname/policies
index 65c86435b..0fa3a5d6a 100644
--- a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/var/cache/adsys/policies/hostname/policies
+++ b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/var/cache/adsys/policies/hostname/policies
@@ -9,6 +9,10 @@ gpos:
                 usr.bin.bar
                 nested/usr.bin.baz
               disabled: false
+        certificate:
+            - key: autoenroll
+              value: "7"
+              disabled: false
         dconf:
             - key: path/to/key1
               value: ValueOfKey1
diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed/var/cache/adsys/policies/hostname/policies b/internal/policies/testdata/TestApplyPolicies/golden/succeed/var/cache/adsys/policies/hostname/policies
index 65c86435b..0fa3a5d6a 100644
--- a/internal/policies/testdata/TestApplyPolicies/golden/succeed/var/cache/adsys/policies/hostname/policies
+++ b/internal/policies/testdata/TestApplyPolicies/golden/succeed/var/cache/adsys/policies/hostname/policies
@@ -9,6 +9,10 @@ gpos:
                 usr.bin.bar
                 nested/usr.bin.baz
               disabled: false
+        certificate:
+            - key: autoenroll
+              value: "7"
+              disabled: false
         dconf:
             - key: path/to/key1
               value: ValueOfKey1
diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/var/cache/adsys/policies/hostname/policies b/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/var/cache/adsys/policies/hostname/policies
index 65c86435b..0fa3a5d6a 100644
--- a/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/var/cache/adsys/policies/hostname/policies
+++ b/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/var/cache/adsys/policies/hostname/policies
@@ -9,6 +9,10 @@ gpos:
                 usr.bin.bar
                 nested/usr.bin.baz
               disabled: false
+        certificate:
+            - key: autoenroll
+              value: "7"
+              disabled: false
         dconf:
             - key: path/to/key1
               value: ValueOfKey1
diff --git a/internal/policies/testdata/cache/policies/all_entry_types/policies b/internal/policies/testdata/cache/policies/all_entry_types/policies
index 61abf0957..a25406b76 100644
--- a/internal/policies/testdata/cache/policies/all_entry_types/policies
+++ b/internal/policies/testdata/cache/policies/all_entry_types/policies
@@ -56,3 +56,7 @@ gpos:
       disabled: true
     - key: proxy/no-proxy
       value: localhost,127.0.0.1,::1
+    certificate:
+    - key: autoenroll
+      value: "7"
+      disabled: false
diff --git a/internal/policies/testdata/cache/policies/certificate_failing/policies b/internal/policies/testdata/cache/policies/certificate_failing/policies
new file mode 100644
index 000000000..a51413132
--- /dev/null
+++ b/internal/policies/testdata/cache/policies/certificate_failing/policies
@@ -0,0 +1,8 @@
+gpos:
+- id: '{GPOId}'
+  name: GPOName
+  rules:
+    certificate:
+    - key: autoenroll
+      value: "NotANumber"
+      disabled: false