Currently, the CSR sent in a PKCSReq message is encrypted with all the certificates returned from GetCaCert operation.

A windows SCEP server may not just return the CA certificate, but also NDES certificates. Some of these certificates are not created with KeyEncipherment KeyUsage. Some of them are only for Digital Signature purposes. Adding these certificates as recipients for the encrypted messages introduces decryption errors from the server's side.

The proposal here is to filter the certificates received from GetCaCert by KeyUsage, particularly KeyEncipherment, and use only those as the encrypted content recipients.