Securing application settings in Active Directory

Question

I'm trying to help our development team solve a problem that I think seems pretty simple. We have settings in our application, for example, a SMTP Authentication password, or a server connection password, that need to be encrypted and secure. Previously, we used a static key to encrypt these values, then the decryption key was hard-coded into the application. This is not secure.

We're rewriting the application, and I'm trying to figure out a way to encrypt these values securely, using certificates. I've tried creating a certificate and using Active Directory to distribute that certificate, but we are running into issues with the certificate type not being correct. I'm not even sure that this type of certificate is the correct way to distribute this key for decryption.

The entire process needs to be hands-off. This application is installed on more than 1000 machines, and it's installed by a team with dozens of people. Distributing a pre-shared password to enter on installation isn't really secure or practical. I'm sure that this is a problem that's been solved, but I don't know how to do it.