I am trying to implement a system where a client can download application packages from a server to install/update them on the client.
Note: The update process for a client file will take between 2 - 7 minutes, depending on the client file version and the size of the generated financial statements.
My questions is what the client is supposed to do to install/update a CA certificate. What I understand from your answer is i) it would be enough for a client to have a root certificate to validate a signature, ii) the root certificate can be pre-installed on a client or distributed with application packages from the server, iii) a client would need to build a chain of trust, iv) a client would need to use CRL or OCSP, but the server would just sign with a new key.
When we used other type of client such as web browsers and mail applications, we would not recognize what those applications are doing for installing/updating a CA certificate. Honestly, I do not quite understand iii) and iv) yet.
Alternatively, the client can request that the DHCP server make the update on its behalf.
Using an additional DHCP option included in the message, the Client FQDN option (option 81), and the client's fully qualified domain name (FQDN), a Windows 2000 DHCP client can pass its FQDN to the DHCP server and inform the server how to perform the update.
Refer to Updating the Master Template for more information.