All
I should have been more clear. The Root CA that actually signed the gateway certificate can be deployed via GPO. For example, if you have an SSL certificate signed by GODaddy, you can deploy the rest of the chain that way. As mentioned before, if you have a machine that is off network or cannot communicate directly with the bs, there is an offline package but connectivity should be solid on network prior to trying this.