No we haven't but thanks for that tip - will definitely look into this.

My _guess_ at this point is that the platform can't generate the keys,
it needs to get them from somewhere else.   Having never used SCEP I don't
know if the ipad platform can use a bare key pair to craft a signed SCEP
request or not.  Otherwise, I read the page as discussing various methods the ipad
can use to download a certificate from a smarter one - like your Mac laptop.
However, the page doesn't seem to distinguish the private key handling from
cert handling, so....

Hand-me-down certificates fit our working scenarios today but we'll soon have customers that
want to conduct these transactions directly on their mobile platform.  I think that'll
mean we have to have a key pair generator or some other trusted service.

Thanks, ==mwh

... iPad generates a certificate enrollment request using the
SCEP protocol. This SCEP enrollment request talks directly to the enterprise certificate
authority and enables iPad to receive the identity certificate from the certificate authority
in response. ...