Yes. You’d put the fog client on the reference host, re-capture, and via the web interface deploy the image. :-)
I also did some google searching on this. Most of these solutions are for domain bound computers, but there are some ways that don’t require it, but would require credentials to the remote system. search results
The certificate is the central and single point of success or failure of security for the fog client. If an attacker could get it by any means at all, all security is compromised. Having an actual feature that allows it to be downloaded would increase the risk of compromise several times fold.
a local admin ought to be the only person that can touch it.