Not sure if I understand 100% percent, but if I understood correctly you need to:
- get user certificate from userCertificate attribute,
- parse it
- extract subject filed, and use CN component
You won't be able to this alone by using AD MA only, you'll need to create an advanced rule that would do the application logic for you (e.g. you need a management agent extension where you would load the userCertificate and parse it using .NET X509Certificate2 class see https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.subjectname?view=net-5.0 for more info)
Another way to do this would be with powershell management agent where you might directly access the .NET classes and extract necessary information.
Both ways require some efforts and are not entirely straightforward.
Martin