5 files changed, 447 insertions, 17 deletions
diff --git a/tests/dogtag/Makefile b/tests/dogtag/Makefile
index f13cd66c2..b9db34784 100755
--- a/tests/dogtag/Makefile
+++ b/tests/dogtag/Makefile
@@ -262,6 +262,7 @@ build: $(BUILT_FILES)
 	chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_manual.sh
 	chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh
 	chmod a+x ./acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh
+	chmod a+x ./acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh
 	chmod a+x ./acceptance/legacy/drm-tests/acls/drm-ad-acls.sh
 	chmod a+x ./acceptance/legacy/drm-tests/agent/drm-ag-tests.sh
 	chmod a+x ./acceptance/legacy/drm-tests/internaldb/drm-ad-internaldb.sh
@@ -281,6 +282,7 @@ build: $(BUILT_FILES)
 	chmod a+x ./acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh
 	chmod a+x ./acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh
 	chmod a+x ./acceptance/legacy/subca-tests/logs/subca-ad-logs.sh
+	chmod a+x ./acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh
 	chmod a+x ./acceptance/legacy/ocsp-tests/usergroups/ocsp-ad-usergroups.sh
 	chmod a+x ./acceptance/legacy/ocsp-tests/acls/ocsp-ad-acls.sh
 	chmod a+x ./acceptance/legacy/ocsp-tests/logs/ocsp-ad-logs.sh
diff --git a/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh b/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh
new file mode 100644
index 000000000..01eec386b
--- /dev/null
+++ b/tests/dogtag/acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh
@@ -0,0 +1,188 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/ca-tests/scep_tests
+#   Description: SCEP Enrollment with CA
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# The following pki commands needs to be tested:
+#  /usr/bin/sscep
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Author: Asha Akkiangady <aakkiang@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+. /opt/rhqa_pki/rhcs-shared.sh
+. /opt/rhqa_pki/env.sh
+
+run_pki-legacy-ca-scep_tests()
+{
+        local subsystemType=$1
+        local csRole=$2
+
+	rlPhaseStartSetup "Create temporary directory"
+	        rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory"
+        	rlRun "pushd $TmpDir"
+        rlPhaseEnd
+
+	 # Local Variables
+        get_topo_stack $csRole $TmpDir/topo_file
+        local CA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2)
+        local tomcat_name=$(eval echo \$${CA_INST}_TOMCAT_INSTANCE_NAME)
+        local ca_unsecure_port=$(eval echo \$${CA_INST}_UNSECURE_PORT)
+        local ca_secure_port=$(eval echo \$${CA_INST}_SECURE_PORT)
+        local ca_host=$(eval echo \$${csRole})
+        local valid_agent_user=$CA_INST\_agentV
+        local valid_agent_user_password=$CA_INST\_agentV_password
+        local valid_admin_user=$CA_INST\_adminV
+        local valid_admin_user_password=$CA_INST\_adminV_password
+        local valid_audit_user=$CA_INST\_auditV
+        local valid_audit_user_password=$CA_INST\_auditV_password
+        local valid_operator_user=$CA_INST\_operatorV
+        local valid_operator_user_password=$CA_INST\_operatorV_password
+        local valid_agent_cert=$CA_INST\_agentV
+	local ca_config_file="/var/lib/pki/$tomcat_name/ca/conf/CS.cfg"
+	local search_string="ca.scep.enable=false"
+	local replace_string="ca.scep.enable=true"
+
+
+	rlPhaseStartTest "pki_ca_scep_tests-001: Perform scep enrollment with CA using sha512 fingerprint"
+		local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe"
+		local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified"
+		local scep_enroll_pin="netscape"
+		local scep_password="netscape"
+		local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+		#Turn on scep
+		replace_string_in_a_file $ca_config_file $search_string $replace_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi	
+
+		rlRun "wget $scep_location/sscep -O $TmpDir/sscep"
+		#delete extisting sscep from /usr/bin if any
+		rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep"
+		rlRun "rm -rf /usr/bin/sscep"
+		#Move sscep to /usr/bin
+		rlRun "mv $TmpDir/sscep /usr/bin"
+		rlRun "chmod +x /usr/bin/sscep"
+		#Get mkrequest
+		rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest"
+		rlRun "mv $TmpDir/mkrequest /usr/bin"
+		rlRun "chmod +x /usr/bin/mkrequest"
+
+		#Add a flatfile auth to the CA instance conf dir
+		local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt"
+		cat > $ca_file_loc << ca_file_loc_EOF
+UID:$scep_host_ip
+PWD:$scep_password
+ca_file_loc_EOF
+		#Restart CA
+		rhcs_stop_instance $tomcat_name
+		rhcs_start_instance $tomcat_name
+
+		#Copy sscep.conf file
+		rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf"
+		local digest="sha512"
+
+		#do scep enrollment
+		rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest"
+
+		rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt"
+		rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt"
+	rlPhaseEnd
+
+	
+	rlPhaseStartTest "pki_ca_scep_tests-002: Perform scep enrollment with CA using sha256 fingerprint"
+		local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe"
+		local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified"
+		local scep_enroll_pin="netscape"
+		local scep_password="netscape"
+		local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+		#Turn on scep
+		replace_string_in_a_file $ca_config_file $search_string $replace_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi
+
+		rlRun "wget $scep_location/sscep -O $TmpDir/sscep"
+		#delete extisting sscep from /usr/bin if any
+		rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep"
+		rlRun "rm -rf /usr/bin/sscep"
+		#Move sscep to /usr/bin
+		rlRun "mv $TmpDir/sscep /usr/bin"
+		rlRun "chmod +x /usr/bin/sscep"
+		#Get mkrequest
+		rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest"
+		rlRun "mv $TmpDir/mkrequest /usr/bin"
+		rlRun "chmod +x /usr/bin/mkrequest"
+
+		#Add a flatfile auth to the CA instance conf dir
+		local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt"
+		cat > $ca_file_loc << ca_file_loc_EOF
+UID:$scep_host_ip
+PWD:$scep_password
+ca_file_loc_EOF
+		#Restart CA
+		rhcs_stop_instance $tomcat_name
+		rhcs_start_instance $tomcat_name
+
+		local digest="sha256"
+
+		#Copy sscep.conf file
+		rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf"
+		local orig_fingerprint="FingerPrint     sha512"
+		local replace_fingerprint="FingerPrint     $digest"
+		replace_string_in_a_file $TmpDir/sscep.conf $orig_fingerprint $replace_fingerprint
+		
+		#do scep enrollment
+		rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest"
+
+		rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt"
+		rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt"
+	rlPhaseEnd
+	rlPhaseStartTest "pki_ca_scep_tests_cleanup: delete temporary directory and turn off sscep "
+		#Delete temporary directory
+                rlRun "popd"
+                rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+
+		#Turn off scep
+		replace_string_in_a_file $ca_config_file $replace_string $search_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi
+	rlPhaseEnd
+}
diff --git a/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh b/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh
new file mode 100644
index 000000000..8c9c76af1
--- /dev/null
+++ b/tests/dogtag/acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh
@@ -0,0 +1,192 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/rhcs/acceptance/legacy-tests/subca-tests/scep_tests
+#   Description: SCEP Enrollment with SUBCA
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# The following pki commands needs to be tested:
+#  /usr/bin/sscep
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Author: Asha Akkiangady <aakkiang@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+. /opt/rhqa_pki/rhcs-shared.sh
+. /opt/rhqa_pki/env.sh
+
+run_pki-legacy-subca-scep_tests()
+{
+        local subsystemType=$1
+        local csRole=$2
+
+	rlPhaseStartSetup "Create temporary directory"
+	        rlRun "TmpDir=\`mktemp -d\`" 0 "Creating tmp directory"
+        	rlRun "pushd $TmpDir"
+        rlPhaseEnd
+
+	 # Local Variables
+	get_topo_stack $csRole $TmpDir/topo_file
+	if [ $cs_Role="MASTER" ]; then
+                 SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_SUBCA | cut -d= -f2)
+        elif [ $cs_Role="SUBCA2" || $cs_Role="SUBCA1" ]; then
+                SUBCA_INST=$(cat $TmpDir/topo_file | grep MY_CA | cut -d= -f2)
+        fi
+	local tomcat_name=$(eval echo \$${SUBCA_INST}_TOMCAT_INSTANCE_NAME)
+        local ca_unsecure_port=$(eval echo \$${SUBCA_INST}_UNSECURE_PORT)
+        local ca_secure_port=$(eval echo \$${SUBCA_INST}_SECURE_PORT)
+        local ca_host=$(eval echo \$${csRole})
+        local valid_agent_user=$SUBCA_INST\_agentV
+        local valid_agent_user_password=$SUBCA_INST\_agentV_password
+        local valid_admin_user=$SUBCA_INST\_adminV
+        local valid_admin_user_password=$SUBCA_INST\_adminV_password
+        local valid_audit_user=$SUBCA_INST\_auditV
+        local valid_audit_user_password=$SUBCA_INST\_auditV_password
+        local valid_operator_user=$SUBCA_INST\_operatorV
+        local valid_operator_user_password=$SUBCA_INST\_operatorV_password
+	local valid_agent_cert=$SUBCA_INST\_agentV
+	local ca_config_file="/var/lib/pki/$tomcat_name/ca/conf/CS.cfg"
+	local search_string="ca.scep.enable=false"
+	local replace_string="ca.scep.enable=true"
+
+	rlPhaseStartTest "pki_subca_scep_tests-001: Perform scep enrollment with the SUBCA using sha512 fingerprint"
+		local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe"
+		local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified"
+		local scep_enroll_pin="netscape"
+		local scep_password="netscape"
+		local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+		#Turn on scep
+		replace_string_in_a_file $ca_config_file $search_string $replace_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi	
+
+		rlRun "wget $scep_location/sscep -O $TmpDir/sscep"
+		#delete extisting sscep from /usr/bin if any
+		rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep"
+		rlRun "rm -rf /usr/bin/sscep"
+		#Move sscep to /usr/bin
+		rlRun "mv $TmpDir/sscep /usr/bin"
+		rlRun "chmod +x /usr/bin/sscep"
+		#Get mkrequest
+		rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest"
+		rlRun "mv $TmpDir/mkrequest /usr/bin"
+		rlRun "chmod +x /usr/bin/mkrequest"
+
+		#Add a flatfile auth to the SUBCA instance conf dir
+		local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt"
+		cat > $ca_file_loc << ca_file_loc_EOF
+UID:$scep_host_ip
+PWD:$scep_password
+ca_file_loc_EOF
+		#Restart SUBCA
+		rhcs_stop_instance $tomcat_name
+		rhcs_start_instance $tomcat_name
+
+		local digest=sha512
+
+                #Copy sscep.conf file
+                rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf"
+		#do scep enrollment
+		rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest"
+
+		rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt"
+		rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt"
+	rlPhaseEnd
+
+	rlPhaseStartTest "pki_subca_scep_tests-002: Perform scep enrollment with the SUBCA using sha256 fingerprint"
+		local scep_enroll_url="http://$ca_host:$ca_unsecure_port/ca/cgi-bin/pkiclient.exe"
+		local scep_location="ftp://wiki.idm.lab.bos.redhat.com/dirsec/images-mp1/packages/scep_software/sscep/rhel7-x86_64_modified"
+		local scep_enroll_pin="netscape"
+		local scep_password="netscape"
+		local scep_host_ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+
+		#Turn on scep
+		replace_string_in_a_file $ca_config_file $search_string $replace_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi	
+
+		rlRun "wget $scep_location/sscep -O $TmpDir/sscep"
+		#delete extisting sscep from /usr/bin if any
+		rlLog "Delete existing sscep from /usr/bin = rm -rf /usr/bin/sscep"
+		rlRun "rm -rf /usr/bin/sscep"
+		#Move sscep to /usr/bin
+		rlRun "mv $TmpDir/sscep /usr/bin"
+		rlRun "chmod +x /usr/bin/sscep"
+		#Get mkrequest
+		rlRun "wget $scep_location/mkrequest -O $TmpDir/mkrequest"
+		rlRun "mv $TmpDir/mkrequest /usr/bin"
+		rlRun "chmod +x /usr/bin/mkrequest"
+
+		#Add a flatfile auth to the SUBCA instance conf dir
+		local ca_file_loc="/var/lib/pki/$tomcat_name/ca/conf/flatfile.txt"
+		cat > $ca_file_loc << ca_file_loc_EOF
+UID:$scep_host_ip
+PWD:$scep_password
+ca_file_loc_EOF
+		#Restart SUBCA
+		rhcs_stop_instance $tomcat_name
+		rhcs_start_instance $tomcat_name
+
+		local digest=sha256
+
+                #Copy sscep.conf file
+                rlRun "wget $scep_location/sscep.conf -O $TmpDir/sscep.conf"
+                local orig_fingerprint="FingerPrint     sha512"
+                local replace_fingerprint="FingerPrint     $digest"
+                replace_string_in_a_file $TmpDir/sscep.conf $orig_fingerprint $replace_fingerprint
+
+		#do scep enrollment
+		rlRun "scep_do_enroll_with_sscep $scep_enroll_pin $scep_enroll_url $scep_host_ip $TmpDir $digest"
+
+		rlAssertGrep "pkistatus: SUCCESS" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "certificate written as $TmpDir/cert.crt" "$TmpDir/scep_enroll.out"
+		rlAssertGrep "-----BEGIN CERTIFICATE-----" "$TmpDir/cert.crt"
+		rlAssertGrep "-----END CERTIFICATE-----" "$TmpDir/cert.crt"
+	rlPhaseEnd
+
+	
+	rlPhaseStartTest "pki_subca_scep_tests_cleanup: delete temporary directory and turn off sscep "
+		#Delete temporary directory
+                rlRun "popd"
+                rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+
+		#Turn off scep
+		replace_string_in_a_file $ca_config_file $replace_string $search_string
+		if [ $? -eq 0 ] ; then
+			chown pkiuser:pkiuser $ca_config_file
+			rhcs_stop_instance $tomcat_name
+			rhcs_start_instance $tomcat_name
+		fi	
+	rlPhaseEnd
+}
diff --git a/tests/dogtag/runtest.sh b/tests/dogtag/runtest.sh
index e20887bf9..8b434edfb 100755
--- a/tests/dogtag/runtest.sh
+++ b/tests/dogtag/runtest.sh
@@ -194,6 +194,7 @@
 . ./acceptance/legacy/ca-tests/renewal/renew_manual.sh
 . ./acceptance/legacy/ca-tests/renewal/renew_DirAuthUserCert.sh
 . ./acceptance/legacy/ca-tests/renewal/renew_caSSLClientCert.sh
+. ./acceptance/legacy/ca-tests/scep_tests/scep-enroll.sh
 . ./acceptance/legacy/subca-tests/usergroups/subca-usergroups.sh
 . ./acceptance/legacy/subca-tests/acls/subca-ad-acls.sh
 . ./acceptance/legacy/subca-tests/internaldb/subca-ad-internaldb.sh
@@ -208,6 +209,7 @@
 . ./acceptance/legacy/subca-tests/profiles/subca-ad-profiles.sh
 . ./acceptance/legacy/subca-tests/profiles/subca-ag-profiles.sh
 . ./acceptance/legacy/subca-tests/logs/subca-ad-logs.sh
+. ./acceptance/legacy/subca-tests/scep_tests/subca-scep-enroll.sh
 . ./acceptance/legacy/drm-tests/acls/drm-ad-acls.sh
 . ./acceptance/legacy/drm-tests/agent/drm-ag-tests.sh
 . ./acceptance/legacy/drm-tests/internaldb/drm-ad-internaldb.sh
@@ -1537,23 +1539,29 @@ rlJournalStart
                 run_ca-ee-ocsp_tests $subsystemType $MYROLE
         fi
 	PKI_LEGACY_CA_RENEW_MANUAL_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_MANUAL | tr [a-z] [A-Z])
-        if [ "$PKI_LEGACY_CA_RENEW_MANUAL_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
-                # Execute pki ca-renew-manual tests
-                subsystemType=ca
-                run_pki-legacy-ca-renew_manual_tests $subsystemType $MYROLE
-        fi
-        PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT | tr [a-z] [A-Z])
-        if [ "$PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
-                # Execute pki ca-renew-directory-auth-usercert tests
-                subsystemType=ca
-                run_pki-legacy-ca-renew_dir_auth_user_cert_tests $subsystemType $MYROLE
-        fi
-        PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT | tr [a-z] [A-Z])
-        if [ "$PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
-                # Execute pki ca-renew-sslclient-cert tests
-                subsystemType=ca
-                run_pki-legacy-ca-renew_self_ca_user_ssl_client_cert_tests $subsystemType $MYROLE
-        fi
+	if [ "$PKI_LEGACY_CA_RENEW_MANUAL_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
+		# Execute pki ca-renew-manual tests
+		subsystemType=ca
+		run_pki-legacy-ca-renew_manual_tests $subsystemType $MYROLE
+	fi
+	PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT | tr [a-z] [A-Z])
+	if [ "$PKI_LEGACY_CA_RENEW_DIRECTORY_AUTH_USERCERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
+		# Execute pki ca-renew-directory-auth-usercert tests
+		subsystemType=ca
+		run_pki-legacy-ca-renew_dir_auth_user_cert_tests $subsystemType $MYROLE
+	fi
+	PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE=$(echo $PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT | tr [a-z] [A-Z])
+	if [ "$PKI_LEGACY_CA_RENEW_SSLCLIENTAUTH_CERT_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
+		# Execute pki ca-renew-sslclient-cert tests
+		subsystemType=ca
+		run_pki-legacy-ca-renew_self_ca_user_ssl_client_cert_tests $subsystemType $MYROLE
+	fi
+	PKI_LEGACY_CA_SCEP_ENROLL_UPPERCASE=$(echo $PKI_LEGACY_CA_SCEP_ENROLL | tr [a-z] [A-Z])
+	if [ "$PKI_LEGACY_CA_SCEP_ENROLL_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
+		# Execute ca scep enroll tests
+		subsystemType=ca
+		run_pki-legacy-ca-scep_tests $subsystemType $MYROLE
+	fi
 	PKI_LEGACY_KRA_AG_UPPERCASE=$(echo $PKI_LEGACY_KRA_AG_TESTS | tr [a-z] [A-Z])
 	if [ "$PKI_LEGACY_KRA_AG_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then
 		subsystemType=kra
@@ -1650,6 +1658,12 @@ rlJournalStart
 		subsystemType=ca
 		run_admin-subca-log_tests $subsystemType $MYROLE
 	fi	
+	PKI_LEGACY_SUBCA_SCEP_ENROLL_UPPERCASE=$(echo $PKI_LEGACY_SUBCA_SCEP_ENROLL | tr [a-z] [A-Z])
+	if [ "$PKI_LEGACY_SUBCA_SCEP_ENROLL_UPPERCASE" = "TRUE" ] || [ "TEST_ALL_UPPERCASE" = "TRUE" ]; then
+		# Execute subca scep enroll tests
+		subsystemType=ca
+		run_pki-legacy-subca-scep_tests $subsystemType $MYROLE
+	fi
         PKI_LEGACY_OCSP_AD_USERGROUPS_UPPERCASE=$(echo $PKI_LEGACY_OCSP_AD_USERGROUPS | tr [a-z] [A-Z])
         if [ "$PKI_LEGACY_OCSP_AD_USERGROUPS_UPPERCASE" = "TRUE" ] || [ "$TEST_ALL_UPPERCASE" = "TRUE" ]; then
                 subsystemType=ocsp
diff --git a/tests/dogtag/shared/rhcs-shared.sh b/tests/dogtag/shared/rhcs-shared.sh
index c82b8d3a2..e12631908 100755
--- a/tests/dogtag/shared/rhcs-shared.sh
+++ b/tests/dogtag/shared/rhcs-shared.sh
@@ -21,6 +21,7 @@
 #       forward_system_clock <number_of_days>
 #       reverse_system_clock <number_of_days>
 #       replace_string_in_a_file <file_name> <original_string> <replace_string>
+#       scep_do_enroll_with_sscep <scep_enroll_pin> <scep_enroll_url>  <scep_host_ipaddr> <temp_dir> <fingerprint>
 ######################################################################
 #######################################################################
 
@@ -345,6 +346,39 @@ replace_string_in_a_file()
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#       scep_do_enroll_with_sscep <scep_enroll_pin> <scep_enroll_url> <scep_host_ipaddr> <temp_dir> <fingerprint>
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+scep_do_enroll_with_sscep()
+{
+        local scep_enroll_pin=$1
+        local scep_enroll_url=$2
+        local ipaddress=$3
+        local temp_dir=$4
+        local digest=$5
+        local rc=0
+
+        rlRun "/bin/rm -f $temp_dir/local.csr $temp_dir/local.key $temp_dir/ca.crt $temp_dir/cert.crt"
+
+        #generate a key
+        rlLog "/usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin $digest"
+        rlRun "/usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin $digest > $temp_dir/gen_key"
+
+        #get ca cert
+        rlLog "/usr/bin/sscep getca -c $temp_dir/ca.crt -u $scep_enroll_url"
+        rlRun "/usr/bin/sscep getca -c $temp_dir/ca.crt -u $scep_enroll_url > $temp_dir/getca_out"
+
+        #submit enrollment request
+        rlLog "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr  -l $temp_dir/cert.crt -u $scep_enroll_url"
+        rlRun "/usr/bin/sscep enroll -f $temp_dir/sscep.conf -c $temp_dir/ca.crt -k $temp_dir/local.key -r $temp_dir/local.csr  -l $temp_dir/cert.crt -u $scep_enroll_url > $temp_dir/scep_enroll.out"
+        if [ $? -ne 0 ] ; then
+                rc=1
+        fi
+
+        return $rc
+}
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # disable_ca_nonce
 #   Usage: disable_ca_nonce <ca_server_root>
 #