Public key infrastructure: obtain S / MIME from Digicert, store in deposit at the local CA.

I am trying to break the following nut: I have a contract with Digicert for S / MIME certificates for my organization. Digicert allows to use its API for the issuance of certificates.

Unfortunately, I can not let users sign up because I need to store their encryption keys.

To date, I am generating your key pairs on a dedicated machine, sign CSR on the Digicert site, upload the private key to be deposited at the local CA, and then send everything to the end user.

However, what I would prefer is to never touch the user's private key. This is possible with automatic enrollment of Active Directory, but I can not automatically register with Digicert.

Any idea how to marry those two worlds?