Well, two different things.
Thing 1, you said you can’t have a Pull Server; a Pull Server can just be a file server if that makes the decision to use Pull a little easier.
Thing 2, you have to pre-deploy certs if you’re going to encrypt credentials. They don’t come from the pull server per se. Not magically, at least, like resource modules can.
But I think the DSC book shows the syntax where the cert thumbprint goes, if not an explicit example.