Does anybody have SCEP working with a "challenge password" with either a Microsoft or IOS CA? Could you share the relevant config bits?
I know the PW needs to be entered when the SCEP plugin is installed on the MS CA, but the requests from the routers fail when a challenge pw is configured. I never get prompted for a pw and the only pw config in the client router seems to be for creating a password that you'd need if you ever wanted to revoke the cert.
I have a Microsoft CA that works without a password which automatically grants all cert requests but when I configure a SCEP challenge password the cert requests fail. If I set the CA to require approval before signing the certs, the CA gets the requests just fine, I approve the requests and the CA issues a cert, but the routers are never successful at retrieving the signed certs. I'd rather not have my CA configured to automatically grant every request from anybody who finds it without so much as a password. That's not what I'd call secure.
I've also gotten an IOS CA to work without passwords or approval but I'd prefer to use the MS CA.