# Certificates *Applies to: Patch My PC Publisher* {% hint style="success" %} **Tip** Detailed guidance on certificate creation, selection, trust requirements, and lifecycle management is covered on the [Administration > General > Certificate Management](https://docs.patchmypc.com/patch-my-pc-publisher/administration/general/certificate-management) page. {% endhint %} When working with WSUS or ConfigMgr, correct certificate configuration is required to ensure that updates are trusted and considered secure by the platform. Microsoft enforces this by requiring all third-party and custom updates to be code signed before they can be published into WSUS. This applies specifically to the CAB files that contain update metadata and content. To meet this requirement, the Publisher must be provided with a code-signing certificate. This certificate is used to sign third-party updates during the publishing process, allowing WSUS and managed devices to validate the origin and integrity of the updates. Publisher supports multiple certificate configuration options to accommodate different organizational, security, and compliance requirements: * **ConfigMgr–managed certificate**\ When using WSUS as part of a Software Update Point, ConfigMgr can automatically generate and manage a self-signed WSUS signing certificate. This is the simplest and most commonly used option. * **Publisher-generated self-signed certificate**\ The Publisher can create and manage its own self-signed code-signing certificate, which is commonly used in WSUS-only environments or where ConfigMgr is not available to manage the certificate. * **Customer-provided PKI certificate (PFX)**\ Organizations with stricter security or compliance requirements can provide a PFX file containing a code-signing certificate issued by an internal or public Certificate Authority. In most environments, allowing ConfigMgr or the Publisher to manage a self-signed certificate is sufficient. However, for organizations that require certificate revocation, centralized PKI governance, or formal audit controls, importing a PKI-issued certificate may be necessary. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.patchmypc.com/patch-my-pc-publisher/publisher-requirements/wsus-requirements/certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.