we gathered some experience using scep and dogtag. To be a little more precise we are issuing certs to cisco routers by the thousands (the whole sales force needs these...)

The current implementation works, but leaves still some space for improvement :-)

Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests.

When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but we have to serve our clients...)

The flatfileauth module still has a longstanding bug (from the iplanet days of the dogtag code), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for details)

The cisco client still complains on some operations not being implemented, but works after those modifications

Yours,

Alexander