I know this is very old and the latest - and sole - contribution to the topic is from June 2017 but the error in the given example does not stem from an ISE malfunction or bug. In my opinion, the enrollment URL points to the wrong path. The switch will receive the CA certificate when "/pkiclient" is omitted.
Is there still no solution to issue certificates to Cisco devices (routers, switches, wlc) from ISE CA?
From my view It is very disappointing that a Cisco CA (ISE) is not able to issue certificates to their own main product series.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: