A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.
No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.
Here is an example configuration for the ASA enrollment:
Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.