You are welcome; thank you for clarifying.
Unfortunately, there is no automatic install option for this. In addition to the post-notification message, since you are already presenting bookmarks to users, you can create a bookmark to the certificate server and provide instructions, either as part of the bookmark description or a post-authentication message, that users must access that the first time they login from a new machine.
I also wanted to confirm that Host Checker cannot check for the presence of a trusted root CA on the client.