Hi, @ige dan
Thank you for posting in Microsoft Q&A forum.
The clients do not require the PKI certificate, only the software update point server needs to have the certificate installed.
This is because the certificate is used to secure the communication between the software update point and the WSUS server. The clients communicate with the software update point, not directly with the WSUS server.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".