Okay, I was able to use the following workaround in my lab environment to update the SCEP certificate.   Using OpenSSL to sign the certificate is not ideal as that certificate would live outside of the control and knowledge of ADCS.   However, since this is just a lab environment, I was able to use the following option to extract the Root CA cert and key from my ADCS in p12 format. https://support.citrix.com/article/CTX224970/how-to-export-internal-root-ca-with-private-key-from-microsoft-certificate-authority-services-to-use-on-netscaler-swg   I was then able to use the openssl commands in this document to extract the certificate and key in PEM format and then use OpenSSL to sign the Meraki SCEP cert. https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl/   I doubt this option would be acceptable for a customer Production environment, but it works for my lab setup. ... View more

I'm having the same issue trying to update my expired SCEP certificate. I've tried using the built-in SubCA template in ADCS as well as created new templates, but I cannot seem to get the Meraki Dashboard to accept anything signed by ADCS. Here are the basic constraints and key usage settings in my SubCA template.   And the resulting signed certificate from the Meraki CSR:       Has anyone been able to get this working with the newer requirements and ADCS? ... View more