(Updated @ 2016/05/18)

When you use Desired State Configuration (DSC) and a Pull server, you should encrypt any credentials in your configurations documents. More information on this here: https://blogs.msdn.microsoft.com/powershell/2014/01/31/want-to-secure-credentials-in-windows-powershell-desired-state-configuration/
But instead of harvesting the certificates from the remote computers themselves (as described in the blog post above), I decided to query the CA directly, and get the certificates and the public keys from there.

I found this example on querying the CA database using a ComObject, and based on that function I wrote the Export-CACertificatesForDscEncryption function that gets only the relevant certificates I needed (Issued Certificates and for the purpose of Client Authentication), export them to CER files, and output a report with the Node, Path, Thumbprint, and CertificateExpirationDate for later use to build the configuration data.

For example, you can call the Export-CACertificatesForDscEncryption using the following command:

Export-CACertificatesForDscEncryption `
  -CertificationAuthority contoso.com\ContosoRootCA `
  -Path C:\Temp\CERTs -ReportFileName nodes.csv -Verbose

The Export-CACertificatesForDscEncryption function is available on the Script Center repository at: https://gallery.technet.microsoft.com/scriptcenter/Export-CACertificatesForDsc-ccd593bc