On a Windows machine, this will get you the Active Directory root CA public certificate.
certutil -viewstore -enterprise ntauth