A code signing certificate is required when using Patch for MEM with Configuration Manager and WSUS to publish third-party updates. In general, you must:
1.Create a code signing certificate.
You can do this using either an internal Certificate Authority (CA) or your WSUS server.
2.(Conditional) If you use an internal CA to create the code signing certificate, you must import the certificate into WSUS, which you can do using Patch for MEM.
If you use WSUS to create the code signing certificate, the certificate will be automatically imported into WSUS.
3.Export the certificate.
4.Distribute the code signing certificate to the appropriate certificate stores on all your WSUS servers, your remote Configuration Manager consoles and to your client machines.
•Trusted Publishers certificate store
•Trusted Root Certificate Authorities certificate store
This section provides details on how to accomplish each of these tasks.
Alternate Creation and Distribution Method if You are Using Configuration Manager 1806 or Later
You can have Configuration Manager create the signing certificate and distribute it to your client machines.
1.Within your Software Update Point, on the Third Party Updates tab, enable the Configuration Manager manages the certificate option.
2.In your Client Settings, on the Software Updates tab, specify Yes for the Enable third party software updates option.
3.Run a synchronization of your software update point.
If a certificate is not detected, one is automatically generated for you and distributed to your client machines.
For more information, see: https://docs.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates.