distributed PKI Certificate handling- making it user friendly

I have 开发者_运维问答a Server and N number of clients installed on different hosts. Each host has its self-signed certificate generated during install. The client authentication is turned ON at this point. Which means they can't communicate to each other until these certs are properly imported as described below.

Now, the server needs to import all the clients' certificates. So do all the clients from this single server. This part is really not user friendly to do it during install as either client or the server can be installed independent of each other any time. What is the better way to import certs between clients and server without the user having to perform some kind of out-of-band manual steps?

PS: The PKI tool I am using can only import/export certificates on a local machine only. Assume I can't change this tool at this time.

In general, this is one of the problems with PKI. It is a pain to securely distribute certificates in an automated fashion.

In an Active Directory domain environment you already have a Kerberos trust in place. Therefore you can use group policy to securely distribute certficates automatically. Don't know if that would apply to you because you haven't given information about your environment/OS etc.