Hello @pugman,
The ASA cannot perform the configuration you want to accomplish, you can configure the Local CA on the ASA but it will only work with AAA and OTP (you could send it through email or manually from ASDM or CLI) but there is no way you can enable the Local CA to make it work with SCEP, the feature is not supported.
You could have the CA on a Windows Server and automate the process but you cannot do it on the ASA.
HTH
Gio