I have a Microsoft CA with the SCEP plugin. It works fine for signing IKE/VPN certs for routers when I'm only deploying one or two routers at a time.
But now I have a rollout coming up where I'll have to deploy 50 routers initially, then most likely, a few hundred shortly thereafter. It is highly likely that we will have the new routers shipped directly to a 3rd party who will then load pre-generated config files and deploy them at their respective remote locations. The 3rd party would not have access to my SCEP enabled CA.
Is there any way that I can pre-generate key pairs and certs right on the CA (or some other workstation or router), and import them into the routers later? I know that I can import the CA root cert offline. It's the public/private keypair and identity cert that I'm concerned with.