In the CA I'm working on, we have certificate templates that are used to configure CSRs on various devices. We need to keep track of which template we push to a device, so that we can validate the CSR against the template used. For iOS devices, we're thinking of including the template name in the "Name" field for the SCEP Payload. However, I'm not sure how this field is packaged into the CSR that the iOS device creates. According to the OTA Configuration Guide,
The service can provide different certificate issuing services parameterized on the Name value that becomes part of the final URL. In the case of Windows, this value needs to be set, although any value will do.
This is the only indication of how this Name key/field is used. Does anyone know what becomes of this key? Is it made into an attribute in the CSR? This quote says it "becomes part of the final URL." Does this mean it's injected into the SCEP URL? There doesn't seem to be much documentation on this.