Hi All,<div><br></div><div>Has someone confirm that dogtag can be configured such that a SCEP request from a router is approved manually by an agent at the CA or RA?</div><div><br></div><div>The following are the steps I do to test this scenario:</div>
<div>1. In the CA, I create a profile, called router profile.</div><div>2. This router profile is similar to the caRouterCert profile</div><div>3. In this profile, I disable the visibility such that this profile is not visible in the CA&#39;s end-entity web page.</div>
<div>4. The profile&#39;s Certificate Profile Authentication filed is left empty; implying that the request will be handled by the CA agent.</div><div>5. I am using Simple SCEP as my SCEP client.</div><div>6. At the sscep client, I generate a CSR using mkrequest.  During CSR generation using the mkrequest, I did not include PIN (or challenge-response PIN), since  did not ask the RA to generate a PIN for me.  The reason is, I would like the agent to manually approve the request.</div>
<div>7. using sscep enroll, I made the scep client to send SCEP enroll to the CA</div><div>    ./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u <a href="http://ca.fqdn:9180/ca/cgi-bin/pkiclient.exe">http://ca.fqdn:9180/ca/cgi-bin/pkiclient.exe</a></div>
<div>8. I turned on sscep debug and verbose.  From this debug and verbose output, I observed that the scep client sends HTTP GET /ca/cgi-bin/pkiclient.exe?operation=PKIOperation&amp;message=MIIH3A.................</div><div>
9. Also from the sscep debug message, I noticed that the CA responses with status code 200.  The CA sends a PKCS7 payload.</div><div>10. Inside the payload is the router certificate.</div><div><br></div><div>My question is:. Why the CA does not queue this request for agent approval?</div>
<div><br></div><div>Thanks in advance,</div><div>Erwin</div>