---
title: Certificates
description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.topic: reference
ms.date: 01/25/2024
---

# Certificates (Windows Configuration Designer reference)

Use to deploy Root Certificate Authority (CA) certificates to devices. The following list describes the purpose of each setting group.

- In [CACertificates](#cacertificates), you specify a certificate that will be added to the Intermediate CA store on the target device.
- In [ClientCertificates](#clientcertificates), you specify a certificate that will be added to the Personal store on the target device, and provide (password, keylocation), (and configure whether the certificate can be exported).
- In [RootCertificates](#rootcertificates), you specify a certificate that will be added to the Trusted Root CA store on the target device.
- In [TrustedPeopleCertificates](#trustedpeoplecertificates), you specify a certificate that will be added to the Trusted People store on the target device.
- In [TrustedProvisioners](#trustedprovisioners), you specify a certificate that allows devices to automatically trust packages from the specified publisher.

## Applies to

| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| All setting groups | ✅ |  ✅ | ✅ | ✅ |

## CACertificates

1. In **Available customizations**, select **CACertificates**, enter a friendly name for the certificate, and then click **Add**.
1. In **Available customizations**, select the name that you created.

1. In **CertificatePath**, browse to or enter the path to the certificate.

## ClientCertificates

1. In **Available customizations**, select **ClientCertificates**, enter a friendly name for the certificate, and then click **Add**.
1. In **Available customizations**, select the name that you created. The following table describes the settings you can configure. Settings in **bold** are required.

| Setting | Value | Description |
| --- | --- | ---- |
| **CertificatePassword** | |  |
| **CertificatePath** |  | Adds the selected certificate to the Personal store on the target device. |
| ExportCertificate | True or false | Set to **True** to allow certificate export.  |
| **KeyLocation** | - TPM only</br>- TPM with software fallback</br>- Software only  |  |

## RootCertificates

1. In **Available customizations**, select **RootCertificates**, enter a friendly name for the certificate, and then click **Add**.
1. In **Available customizations**, select the name that you created.
1. In **CertificatePath**, browse to or enter the path to the certificate.

## TrustedPeopleCertificates

1. In **Available customizations**, select **TrustedPeopleCertificates**, enter a friendly name for the certificate, and then click **Add**.
1. In **Available customizations**, select the name that you created.
1. In **TrustedCertificate**, browse to or enter the path to the certificate.

## TrustedProvisioners

1. In **Available customizations**, select **TrustedPprovisioners**, enter a CertificateHash, and then click **Add**.
1. In **Available customizations**, select the name that you created.

1. In **TrustedProvisioner**, browse to or enter the path to the certificate.

## Related topics

- [RootCATrustedCertficates configuration service provider (CSP)](/windows/client-management/mdm/rootcacertificates-csp)