Slightly OT: can we have a quick headcount of which client deployment tools people are using to deploy their private CA, ideally annotated with any platforms it *doesn't* support?
Well, we don't use one, yet. I've decided to try to tackle the task of getting helpdesk staff used to running a new deployment program which also parameterizes our SSIDs by tying one to an upcoming new VPN rollout. This is with custom scripts generating a mobileconfig and a custom windows script, since none of the SSID-deployment tools also did VPN profiles and/or were too cookie cutter or too bloated to audit. I haven't gotten around yet to writing the part of the Windows script that does the SSIDs or will eventually allow us to install a root cert, but the mobileconfig side of that is dead simple. So far I've been able to avoid any binary .exes on the Windows side so the whole thing is a one-file, easily auditable script disregarding the pasted-in certs. We don't allow Vista or XP on the network anymore, so I don't have to deal with powershells too old to do the job. Haven't even looked at CA enrollment yet. Would be premature until management takes some interest in the CA project and supplicant support catches up. The danger in this approach is less community support if an OS suddenly decides to make changes that crash the scripts or demand a different .mobileconfig for different OSes. But so far in testing, we haven't needed to discriminate. Didn't bother to do android, because it's futile to be messing around with giant build enviromnets to create apps to use reflection APIs to get at paremeters that should be easily provisionable. We'll just have to wait for that crew to get their thumbs out of their posteriors, and in the meantime coax the users through manual cert installs.