MaYnMaN, I had to use PowerShell to set the CertificateUserIds value in the GCC-High environment I tested with last weekend.
It really was as simple as 1. Configuring the Root and Intermediate CAs and 2. Setting the CertificateUserIds. Here's the PowerShell to retrieve and set the value for one user.
Connect-MgGraph -Environment usgov -Scopes "User.ReadWrite.All"
$upnuser = "email address removed for privacy reasons"
$upncert = "1234567890123456@mil"
## Retrieve Authorization Info
$user = Get-MgUser -UserId $upnuser -Property Id,DisplayName,UserPrincipalName,UserType,AuthorizationInfo
$user | select Id,DisplayName,UserPrincipalName,UserType,@{n="CertificateUserIds";e={$_.AuthorizationInfo.CertificateUserIds}} | ft -AutoSize
## Set Authorization Info
$contenttype = "application/json; charset=utf-8"
$body = @{
authorizationInfo = @{
certificateUserIds = @("X509:<PN>{0}" -f $upncert)
}
} | ConvertTo-Json
$uri = "https://graph.microsoft.us/v1.0/users/{0}" -f $upnuser
Invoke-MgGraphRequest -Method PATCH -Uri $uri -ContentType $contenttype -Body $body