Approvals with SCEP currently only exists when using the legacy RA proxy, but there are enough provisions in the followed [draft|https://tools.ietf.org/html/draft-nourse-scep-23] to implement it in EJBCA as well.
- Due to how approvals are constructed in EJBCA, this will only be able to function in RA mode, as the action requiring approval is end entity creation, not issuance
- According to section 2.5.1 in the draft, a PKCSReq message which cannot continue should return status PENDING, and the envelope must be omitted (section 184.108.40.206)
- Should a PENDING status be return, the client may continue to poll the RA using the GetCertInitial message until a SUCCESS or FAILURE is received
- The initial PKCS10 needs to be stored as the GetCertInitial doesn't contain it. It's done in a dedicated field in ExtendedInformation in the End Entity.
- The recipient nonce on the GetCertInitial value will (upon issuance) need to be modified upon being sent back, as the nonce stored in the PKCS10 above will not be the same as the one that came with the final GetCertInitial, which is what the client will be expecting to see.
- The transaction ID should remain the same from request to issuance