We are using Windows 2003 PKI for Cisco IPSec devices and as per security mandate have SCEP challenge password enable when installing the plugin. This poses a challege when the devices try to auto-enroll after certificate expiration, I am looking for a) If the passwords were only time or one use only ? If they are one use is there a way to configure the same password to be used by multiple devices enrolling at different time. I understand Windows 2008 R2 has single mode password option but we are atleast 18 months away for implementing the solution. b) Any creative ideas about making auto-enroll work with enrollment challenge passwords ? Any information or pointers are greatly appreciated. Thanks VV