Hi,
we gathered some experience using scep and dogtag. To be a little more
precise we are issuing certs to cisco routers by the thousands (the whole
sales force needs these...)
The current implementation works, but leaves still some space for
improvement :-)
Your client initially needs a password that must be known to the ca in the
flatfileauth-file used for your scep profile. The CA has a simple (more
example) application to request such a password, we tied it to our order
system to further authenticate those requests.
When your CA certificate (or the certificate you are using for scep) sits
in a HSM, you'll need quite an extension for the existing code, as the
current code will not be able to decrypt the requests (in this case due to
ciscos error - but we have to serve our clients...)
The flatfileauth module still has a longstanding bug (from the iplanet days
of the dogtag code), that prevents it to work with other tag-names than the
default ones, easy to fix, but hair tearing when you debug it. (See
https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for
details)
The cisco client still complains on some operations not being implemented,
but works after those modifications
Yours,
Alexander