<<<<<<< .mine
# AA basic configuration for SCEP issuing.
#
# 0. Set up some directories; The directory cert needs to be server writable.
#
#  mkdir ca ra cert
#  chown www:www cert
#
# AA basic configuration for SCEP issuing.
#
# 0. Set up some directories; The directory cert needs to be server writable.
#
#  mkdir ca ra issued_certs
#  chown www:www issued_certs
#
# 1. Generate a CA with an issuing RA 
#
#  openssl req -new -x509 -subj /CN=ca-test-scep -out ca/ca-cert.pem -keyout ca/ca-key.pem -nodes
#
#  echo "[ra]" > config.cnf
#  echo "keyUsage=digitalSignature,keyEncipherment" >> config.cnf
#
#  openssl req -new -subj /CN=ra-test-scep -keyout ra/ra-key.pem -nodes |\ 
#            openssl x509 -req \
#                         -CAkey ca/ca-key.pem -CA ca/ca-cert.pem \
#                         -out ra/ra-cert.pem  \
#                         -extfile config.cnf -extensions ra
#
# 2. Load the right modules into httpd.conf
#
LoadModule ca_module 		libexec/apache24/mod_ca.so
LoadModule scep_module 		libexec/apache24/mod_scep.so
LoadModule ca_simple_module 	libexec/apache24/mod_ca_simple.so
LoadModule ca_disk_module 	libexec/apache24/mod_ca_disk.so

# Configure a URL (in this case - /scep). We're not setting any
# access restricitons - anyone can ask for anything.
#
<Location /scep>
  SetHandler 				scep
  ScepRACertificate 			/opt/local/etc/pki/ra/ra-cert.pem
  ScepRAKey 				/opt/local/etc/pki/ra/ra-key.pem
  ScepSubjectRequest 			O
  ScepSubjectRequest 			countryName
  ScepSubjectRequest 			stateOrProvinceName
  ScepSubjectRequest 			commonName
  ScepSubjectSet OU 			"Test Certificate"
  CASimpleCertificate 			/opt/local/etc/pki/ca/ca-cert.pem
  CASimpleKey 				/opt/local/etc/pki/ca/ca-key.pem
  CASimpleSerialRandom 			on
  CASimpleTime 				on
  CADiskCertificateSignRequestPath 	/opt/local/etc/pki/certs/
  CADiskCertificateByTransactionPath 	/opt/local/etc/pki/certs/
</Location>

Add below to above blocka more elaborate setup that limits/constraints things a bit more:

<Location /scep>
  LogLevel Debug

  ScepSubjectRequest                    O
  ScepSubjectRequest                    countryName
  ScepSubjectRequest                    stateOrProvinceName
  ScepSubjectRequest                    commonName
  ScepSubjectSet OU                     "Test Certificate"
  ScepSubjectSet O                      "My company"
  ScepSubjectSet L                      "Town"
  ScepSubjectSet C                      "EU"
  #
  # Allow up to 20 of any type
  ScepSubjectAltNameRequest             *       20
  ScepSubjectRequest                    *       20
  #
  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment

  # clientAuth - Indicates that a certificate can be used as a Secure Sockets Layer (SSL) client certificate 
  # emailProtection - Indicates that a certificate can be used for protecting email (signing, encryption, key agreement)
  # ipsecUser - IPSEC User Certificate
  # secureShellClient - id-kp-secureShellClient (indicates that the key can be used for a Secure Shell client)
  #
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.21,OID:1.3.6.1.5.5.7.3.7,OID:1.3.6.1.5.5.7.3.4,OID:1.3.6.1.5.5.7.3.2

  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer