Automating the issuance of mail certificates is the right and natural thing to do. But here it is necessary to take into account the following - before starting mass implementation:
- the admin / IB-shnik should always have a copy of the user's mail certificates (I already have three of them - and they are all stored in different places). Because the mail is stored (that is, it lies on the server in this form) in encrypted form, and if the key is lost, it turns into a pumpkin. Absolutely no chance of recovery
- the issue of mail certificates, respectively, should be organized so that .p12 is created manually by the administrator, so that it is possible to transfer certificates from computer to computer, because issuing a certificate on a local computer places the certificate key (perhaps I did not check!) In the local store immediately, without a chance to extract it from there and any rearrangement of Windows turns mail into a pumpkin.
- certificates are issued for a year, they need to be reissued in a timely manner. If you plan to use external mail readers with certificates (such as MailDroid), you must have an available and valid CRL, for example, decryption in MailDroid may not work without it.
- perhaps there is such a way to do it entirely on Windows, but I do not know it. I used to use a windows CA and it was really a pain to create a CSR on linux, paste it into the web interface of the CA service on windows, export the certificate to linux, build PKCS#12... For some time now I've been doing all this on linux.
UPD: Write, if f. Soap in profile. Postal certificates - what a topic.