Let's summarize: 1. update-crypto-policies --set DEFAULT:SHA1 make set of SCEP security, described in 5.8.2. Configuring Security Settings for SCEP https://access.redhat.com/documentation/en-us/red_hat_certificate_system/... 2. With last generation Cisco devices - all correct with SCEP enrolment and Dogtag 11.8.4, optionally - crypto pki trustpool import clean [terminal | url url] - crypto pki trustpool import {terminal} {url url | ca-bundle} {vrf vrf-name | source interface interface-name} - chain-validation stop - password [stroke] - hash sha256 - rsakeypair [key-label key-size encryption-key-size] not work with eckeypair [label], no any csr request, with error: not found private key for eckeypair :( 3. Router(config)# crypto ca auth [trustpoint name] 4. Unmark UID: and PWD in flatfile.txt, set UID:ip_addr_of_router and PWD:[stroke], then, with debug Crypto PKI Msg debugging is on Crypto PKI Trans debugging is on Crypto PKI Certificate Server debugging is on Crypto PKI SCEP Messages debugging is on Router(config)# crypto pki enroll [trustpoint name] Insert serial number(yes/no)? Request certificate from CA(yes/no)? All done. 5. Unfortunately, the old Cisco hardware with IOS >=12.X and SHA-1 cannot request certs, due Subj.