I am trying to break the following nut: I have a contract with Digicert for S / MIME certificates for my organization. Digicert allows to use its API for the issuance of certificates.
Unfortunately, I can not let users sign up because I need to store their encryption keys.
To date, I am generating your key pairs on a dedicated machine, sign CSR on the Digicert site, upload the private key to be deposited at the local CA, and then send everything to the end user.
However, what I would prefer is to never touch the user's private key. This is possible with automatic enrollment of Active Directory, but I can not automatically register with Digicert.
Any idea how to marry those two worlds?