Hi,
we gathered some experience using scep and dogtag. To be a little
more precise we are issuing
certs to cisco
routers by the thousands (the whole sales force needs these...)
The current implementation works, but leaves still some
space for improvement :-)
Your client initially needs a password that must be
known to the ca in the flatfileauth-file
used for your scep
profile. The CA has a simple (more example) application to
request such a password, we tied it to our order system to
further authenticate those requests.
When your CA certificate (or the certificate you are
using for scep)
sits in a HSM,
you'll need quite an extension for the existing code, as the
current code will not be able to decrypt the requests (in
this case due to ciscos
error - but we have to serve our clients...)
The cisco
client still complains on some operations not being
implemented, but works after those modifications
Yours,
Alexander