OK, let me now recap what needs to be done for this to work.
A plain blank never used SCEP/NDES server will do just fine.
But one needs to assume that customer might use such server for something else.
Which was the case in my setup. I use SCEP server to request certificate by Apple iDevices (iPad/iPhone) for wireless network access, using custome template which does NOT have Server Authentication configured
Hence the settings on my SCEP server were for the very purpose & created certificate did not work
To make sure that certificate obtained from SCEP server is good for SSL one needs to configure correct template in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptionTemplate
Preferably one that has Server Authentication configured
Good read is here:
https://blog.warcop.com/2013/06/27/ndes-server-configuration-for-scep-cisco-asa-scep-proxy/
One that was configured in that way, then simple set of commands did get certificate
pki domain domainA1
ca identifier NameOfCA
certificate request url http://EnterpriseCA.domainA1.local/certsrv/mscep/mscep.dll
certificate request from ra
certificate request entity hpe5900-sr1
crl url http://EnterpriseCA.domainA1.local/CertEnroll/whatever_is_configured.crl
#
pki entity hpe5900
common-name HPE5900.domainA1.local
country GB
#
ssl server-policy domainA1-ssl
pki-domain domainA1
undo ip https enable
[HPE5900-pki-domain-domainA1]public-key rsa general name BG length 2048
quit
pki retrieve-certificate domain doaminA1 ca
pki request-certificate domain doaminA1 password 2A792FF083164D59 (password as obtained from CA http://ndes_server/certsrv/mscep_admin)
ip https ssl-server-policy domainA1-ssl
ip https enable