Ciphermail has a guide that explains how to configure a Ciphermail gateway to make the gateway request certificates from an external EJBCA server. Ciphermail Email Encryption Gateway is a standard based centrally managed email server (MTA) that encrypts and decrypts your incoming and outgoing email at the gateway level.

This is an extract from the complete guide.

By using the Ciphermail-EJBCA integration Ciphermail can automatically request certificates from EJBCA for a transparent email encryption experience.

The below covers steps to follow to set up Ciphermail to work with EJBCA.

Create Certificate for Ciphermail

Ciphermail communicates with EJBCA using the WebService interface. This means that Ciphermail needs an administrator certificate from EJBCA before is can connect to EJBCA.

To create a new administrator keystore for Ciphermail in EJBCA:

Create a P12 keystore for administrator.
Add the administrator certificate to an role in EJBCA with RA privileges, i.e. privileges to add/edit end entities.

Configure Ciphermail

Configure the EJBCA certificate request handler.
Configure properties as described in the Ciphermail-EJBCA Setup Guide.

Configure EJBCA

Create a Certificate Profile with the following:
- Key Usage: Digital Signature and Key encipherment.
- Extended Key Usage: Any Extended Key Usage or Email Protection (but not both).

Create an End Entity Profile with:
- RFC 822 Name as Subject Alternative Name.

When the setup is done, select the EJBCA Certificate Request Handler in the CA configuration of Ciphermail.