When two devices use an Identity Certificate to initiate VPN negotiations, they actually need to prove they are actually the devices for which those certificates were issued. Following this idea, each device needs to provide certain information to the CA server in order to get this certificate properly signed by it. When two devices need to use certificates to initiate a VPN tunnel, they should not be able to use the certificate from another device to authenticate themselves. Hence it is going to be necessary to enroll the ASA device against the CA server in order to have the option to use certificates.