# Generate a Self-Signed Certificate *Applies to: Patch My PC Publisher* The **Generate a Self-Signed Certificate** option allows Publisher to create a code-signing certificate. This option is commonly used when allowing ConfigMgr to manage the certificate is not desired, or in standalone WSUS environments where self-signed certificates are permitted and a Certificate Authority is not available.
Generate a self-signed certificate
{% hint style="info" %} **Note** By default, the generated certificate’s **private key is marked as exportable**. This is intentional and recommended, as it allows the certificate (including the private key) to be exported and reused if the Publisher is later moved to a new top-level Software Update Point (SUP). Without an exportable private key, the same signing certificate could not be transferred to another server. {% endhint %} If a code-signing certificate is already configured, Publisher will prompt for confirmation before overwriting it, even if the existing certificate is still valid. This helps prevent accidental replacement of an active signing certificate. Follow the steps below to generate a self-signed code-signing certificate: 1. Open the Patch My PC Publisher. 2. Navigate to **General > Generate a Self-Signed Certificate**. 3. Review or adjust the certificate options: * Subject (Default: PatchMyPC Service) * Validity period (Default: 5 years) * Key length (Default: 2048 btis) 4. (Optional) Leave **Disable Private Key Export** unchecked if you may need to move Publisher to another top-level SUP in the future and want to take the same code-singing certificate to the new server. 5. Select **Generate Certificate**. 6. If prompted to overwrite an existing certificate, confirm to proceed. {% hint style="info" %} **Note** After generation, the self-signed certificate is automatically placed in the following **Local Machine** certificate stores on the server: * **WSUS**\ Used by the Publisher, through the WSUS API, to sign third-party updates. * **Trusted Publishers**\ Allows the operating system to trust updates signed with this certificate. * **Trusted Root Certification Authorities**\ Required because the certificate is **self-signed** and does not chain back to a trusted Certificate Authority. {% endhint %} {% hint style="warning" %} **Important** Because self-signed certificates do not have a parent Certificate Authority, they must be explicitly trusted to establish a valid trust chain. For environments using ConfigMgr or WSUS, this means the certificate must be trusted not only on the WSUS server, but also on **all devices that will install updates signed with the certificate**. As a result, the self-signed certificate must be placed in the **Trusted Publishers** store (to allow installation of signed updates) and the **Trusted Root Certification Authorities** store (to establish trust for the signing certificate) on those devices. When third-party updates are enabled for the Software Update Point and in Client Settings, ConfigMgr can automatically distribute the signing certificate to managed devices, place it into the required certificate stores, and configure the necessary local Windows Update policies so the Windows Update Agent trusts that signing certificate. This ensures client devices trust updates signed by a third-party code-signing certificate, rather than only updates signed by Microsoft, without requiring manual certificate deployment. See [Client Settings](https://docs.patchmypc.com/patch-my-pc-publisher/publisher-requirements/configmgr-requirements/client-settings) for more information. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.patchmypc.com/patch-my-pc-publisher/administration/general/certificate-management/generate-a-self-signed-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.