ISO 9000 says provider - supplier organization that provides a product or a service and examples are producer, distributor, retailer or vendor of a product or a service. That's ISO.
I know, that some suppliers still refuse to certify themselves and see profit in hiding own non-certified "management system" under certified system of own distributors, but IATF 16949 standard give us emergency exit - customer's waiver for contacting non-ISO certified supplier, but under condition, we will perform second-party audits.. Focus is on suppliers falling under 8.4.1 a), b) or c), not a toilet refreshers.
Additionally there is one old (requirement was already in ISO/TS 16949) concern with 8.6.4 c) where audit of distributor's site is pure nonsense, as there is no value added process in place assuring provided product conformance to requirements. So it precludes receiving inspection based on "good quality" certificates only manufacturer is authorised to issue.