Hi All, Has someone confirm that dogtag can be configured such that a SCEP request from a router is approved manually by an agent at the CA or RA? The following are the steps I do to test this scenario: 1. In the CA, I create a profile, called router profile. 2. This router profile is similar to the caRouterCert profile 3. In this profile, I disable the visibility such that this profile is not visible in the CA's end-entity web page. 4. The profile's Certificate Profile Authentication filed is left empty; implying that the request will be handled by the CA agent. 5. I am using Simple SCEP as my SCEP client. 6. At the sscep client, I generate a CSR using mkrequest. During CSR generation using the mkrequest, I did not include PIN (or challenge-response PIN), since did not ask the RA to generate a PIN for me. The reason is, I would like the agent to manually approve the request. 7. using sscep enroll, I made the scep client to send SCEP enroll to the CA ./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u http://ca.fqdn:9180/ca/cgi-bin/pkiclient.exe 8. I turned on sscep debug and verbose. From this debug and verbose output, I observed that the scep client sends HTTP GET /ca/cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIIH3A................. 9. Also from the sscep debug message, I noticed that the CA responses with status code 200. The CA sends a PKCS7 payload. 10. Inside the payload is the router certificate. My question is:. Why the CA does not queue this request for agent approval? Thanks in advance, Erwin