I am building a p2p application using the WCF peer channel. I would like the messages between peers to be secure (signed and encrypted). To do this I need to have each peer use a certificate that is unique to that user. The only things I have found on creating certificates has to do with testing of code signing, not use in real applications. What I think I need to do, but have not found a way to do in code are the following:

1) Using my certificate create a certificate for each license of my software.
2) From each license allow the user to create a certificate for that user's accounts (one license can have more than one user).
3) Then each user can use their private certificate to sign/encrypt messges to the other peers.
4) The peers exchange certificates as part of the mesh protocol. These can be verified because they will be signed by the license certificates, which are signed by the company certificate, which is distributed with the software.
5) When a message comes in it is verified against the store of known peer certificates.

In order for this to work end-users need to be able to create certificates from license certificates. I have found what I need to read certificates, and load certificates, using .Net 2.0 features. What is missing is how to create an X509 certificate given a private key / certificate pair (distributed to licenses via email or other transport). The actual application has several more levels of CA/certificate issuance, but the above sequence has the key parts. Is there a way to generate the private/public key pair and create a certificate as part of an application?