Do you mean a user certificate or do you mean that the clients need to trust that the server is valid but is signed by an internal CA?

If the former, you will need to work with the PKI team on how they want to handle users obtaining certificates that prove identity. For the latter, you will need to work with your PKI, and possibly web hosting team, and determining how to best get the root CA to users.

Thanks for the reply Zanyterp.

The latter is what we need to do.
We need the users to get the root CA for a specific server.

I was hoping to find a way for Pulse to install it or at minimum be able to identify that they didn't have the root CA needed - possibly by Host Checker.

The only other thing I've come up with is a post-authentication message with a link to a webpage that they can install it from. This is a manual way and I was really trying to find another means that was more automated.

You are welcome; thank you for clarifying.
Unfortunately, there is no automatic install option for this. In addition to the post-notification message, since you are already presenting bookmarks to users, you can create a bookmark to the certificate server and provide instructions, either as part of the bookmark description or a post-authentication message, that users must access that the first time they login from a new machine.

I also wanted to confirm that Host Checker cannot check for the presence of a trusted root CA on the client.

Zanyterp, is HTML not useable in the post-authentication and pre-authentication notifications?