In particular all existing MicroMDM CAs do not have a KeyUsageKeyEncipherment key usage set on their CAs and so the SCEP client will fail against them. :(

Looking at JSCEP implementation, it looks like it regards a certificate as a valid recipient if it has KeyUsageKeyEncipherment or KeyUsageDataEncipherment or it's max path lenght is 0 (CA certificate). I don't know if there is a specification that this is following or not. But WDYT about this? Will this work with MicroMDM CAs?

I think it's useful to select amongst a group of CAs returned, no doubt. However if none are found having that key I don't think it's a good experience to just fail and be inoperable.

What would you think about an option? Something like scep.WithUseAnyRecipient()? Or the vice versa WithOnlyKeyEnciphermentRecipients()? That said the fall-back behavior covers both cases nicely. Maybe fall-back by default with an option to require only key encipherment check.

I want also to suggest another option. I can also implement it in another PR if you want.
WDYT about including all certificates as recipients by default, but also to introduce the WithSelector option. The selector should be a function that filters the certificates. I think this may allow easy customization of how any user want to filter recipients. WDYT?

Yeah that sounds reasonable. Feel free to submit a PR!

I do like the idea of a default selector being provided that checks for keyencipherment as well as falls back. This captures both cases where we "prefer" KE certs but don't require them for maximum compatibility. Ie cover NDES as well as other common SCEP server setups.

Abandoning in favor of #147