The service account user must have full control of the MSCEP registry key. Do the following:
Step 1. Open the Regedit application.
Step 2. Select the MSCEP registry key from HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP.
Step 3. Right-click MSCEP > Permissions.
Step 4. Add the service account, and give it full control.
The default certificate template for SCEP to issue is an IPSec template. You must change this to use the new user ...