I stuck.
We have server EJBCA that generates keys for email users. And application on QT that must simplifies get/set own and other's users certificates in Windows store and email client.
We need some points:
- request user registration;
- logon to EJBCA with username/password(that comes to user email) and generate and retrieve .p12 certificate;
- get's x509 certificates already created users;
- get list available CA's.

We can't find useful way to do it. Some of this achieved via cmp, ws services, scep. But all of this require client have admin's certificate or shared secret(over cmp).
That's functionality available on Public Web without any admin privileges. Can I do it in code?