Microsoft Knowledge Base article Q830056 begins with:
This step-by-step article describes how to create an offline certificate request when you do not have direct network access to the certification authority (CA). You may have to create an offline certificate request in situations where a branch office domain controller has no connection to the CA.
For example, a branch office domain controller may be connected to the central site only through a firewall, and only port 25 may be open for Simple Mail Transfer Protocol (SMTP) replication. The domain controller cannot enroll a domain controller certificate, and therefore SMTP replication will fail. Because the CA is located in the central site, and the firewall is blocking RPC traffic, the branch office domain controller cannot contact the CA to enroll its certificate. In this situation, you must request the domain controller certificate offline.
To request a domain controller certificate, you typically establish a temporary virtual private network (VPN) or Internet Protocol security (IPSec) connection between the branch office domain controller and the CA in the central site. Then you request the certificate online, either by using autoenrollment or by using the Certificates Microsoft Management Console (MMC). However, sometimes you cannot follow these steps to request a domain controller certificate. For example, if your firewall or your security policy does not allow a temporary VPN or IPSec connection between the branch office domain controller and the CA in the central site, you must request the domain controller certificate offline. In these cases, you can request an offline domain controller certificate by transferring the request onto a floppy disk. You can take the floppy disk to a location in the domain where connectivity to the CA is available.
See the complete article at 830056.