Hi,
The local CA feature on the ASA is very limited, take a look:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html
Normally, you configure the ASA as the VPN server, configure the authentication to be rsa-signatures and create the self-signed certificate on the ASA (to enable the CA functionality).
Then, each client is configured to enroll with the CA server (ASA) in this way obtaining the certificate.
Each client must have the CA certificate and an identity certificate of its own.
Federico.