How to solve chicken or the egg issue with client TLS certificates on a physical host?
We use the foreman's bootdisk plugin for this purpose. I do not imply it's the correct or unique way, it's what we use successfully.
Everytime a host needs to be (re)provisioned, a short lived token gets generated and it's kept on the database coupled to the host. This token goes into an iso file with the ipxe binary and a script that downloads the kicstart file from the provisioning host only if it offers the right token as identifier. Once the host is provisioned, the token gets deleted. After a specific (tunable, out of the top of my head defaults to 60 minutes) the token is invalidated.
This works with both bios as uefi firmware, and no need for pxe, just http(s) so you could really have internet deployments with few modifications (handy for deploying hardware on remote locations).